Cross-Domain Requests

Accela API supports Cross-Origin Resource Sharing (CORS) requests which allow cross-domain communication between a browser and the server. When the originating site sends a request from a browser that supports CORS to the Accela API server, the browser appends the Origin HTTP request header before sending the request to the server. In response to the cross-domain request, the Accela API returns Access-Control HTTP headers to the originating site.

A use case is when a web site, which is limited by the web application security model's same-origin policy, enables CORS to securely access data returned by the Accela API on For example, if an agency web application bound by a security policy that limits its access within the same domain needs to call Accela API on the Accela-hosted server, the agency web application can enable CORS support on its client server before making Accela API calls. If a sample originating site is, the browser adds the following request header:


The server checks the validity of the origin site. If the origin is valid, the server sends the Access-Control-Allow-Origin HTTP response header with the Origin value (or “*” for a public resource). Accela API returns the following Access Control HTTP response headers:

HTTP Response Header Description

Returns the origin site if allowed (for example,; otherwise returns null.

If the resource is available to the public, “*” is returned.

Access-Control-Allow-Credentials Returns true indicating that the actual request can include user credentials.
Access-Control-Expose-Headers Returns the header names that can be exposed, such as x-accela-traceId

See the W3C CORS specifications for more details about cross-origin requests and CORS response headers.