Issue triggering a webhook to an API with CORS policy: Access-Control-Allow-Origin = *

Hi there,

I’m trying to create a smart action that will send emails out to users. The email API, which is not under my control, has Access-Control-Allow-Origin set to *.
Given that Forest is including the credentials in the request, it fails.

Is there any workaround I can do in order to not include the credentials in the webhook requests?

Thanks in adv.

Hi @dsanesteban, and welcome to our community :wave:,

I’m not sure to totally follow the issue here, but I may have missed something.
You are creating a smart action on your admin backend, then use an email API to send the email?
Does the email API contact you back once emails are sent?

In any cases, you should have control over the cors middleware in your app.js. You should also be able to remove or edit any headers in you smart action code that can cause issues with CORS configuration.

Let me know if that helps or if you have any further information about your issue :pray:

Hi @jeffladiray and thanks for your quick response.

Yes, I’m creating a smart action on the Admin backend, which will trigger an email, using a 3rd party service. This is the smart action implementation:

const subscriberIds =;
      webhook: {
        url: ...,
        method: 'POST',
        headers: {
          'Authorization': `Bearer ${authToken}`,
        body: {
          'SubscriberIds': subscriberIds

I don’t have control over the 3rd party service, but I do know that it has a CORS policy like:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

This causes an error “CORS No Allow Credentials” as the forest admin is including credentials in all requests (app.js).
How can I solve this issue?

Thanks again

Hey @dsanesteban,

In your case, I would suggest to use something like node-fetch or axios to trigger the request directly from your backend instead of relying on webhook triggered by the forestadmin frontend.

Usually, email providers also provide a javascript integration that should also ease the process of sending emails from a backend (eg. Mailchimp, Sendgrid, …)

Your email API will most likely need some credentials to trigger the email sending process, and I think it would better (security wise) to not spread these credentials.

Let me know if that helps :pray:

1 Like

Thanks for your answer. Yeah, that makes sense to me.