How to resolve CORS issues with app APIs from an app embed?

Shopify Apps

Topic summary

Resolving CORS for a Shopify app embed calling custom backend REST APIs. In development, the app runs behind an ngrok tunnel, and the embed’s JavaScript requests to the app-hosted endpoints hit CORS restrictions. The APIs already serve the admin dashboard; the intent is to reuse them to provide data to the embed.

Questions raised:

  • How to avoid or correctly configure CORS for embed-to-app API calls (e.g., allowed origins, headers, proxying)?
  • Once published, where is the app hosted and what URL(s) will the embed use to reach the APIs?

No solutions or decisions yet; the thread remains open with unanswered configuration details.

Key terms: CORS (browser security policy controlling cross-origin requests) and ngrok (development tunneling service that exposes local servers via a public URL).

No images or code snippets are central to understanding the issue.

Summarized with AI on February 1. AI used: gpt-5.
1

On my app, my backend has custom REST APIs that are usable/used on the admin dashboard, but I also have made some that I want to use to deliver information to an app embed I am making. I need the app embed to be able to fetch the APIs that are hosted on my app. I have all the javascript code on the embed side already.

I understand that in dev mode the app is tunneled through NGROK, but this is causing me CORS issues.

  1. How can I get around this CORS issue?
  2. When the app is published, where is the app hosted (what URL, etc)?