API CORS Headers

Could you please update your API server configuration to include the following header in all responses?

Access-Control-Expose-Headers: vcuBalance, requestsLimit, requestsRemaining, requestsReset, tokensLimit, tokensRemaining, tokensReset

Implementation Details:

• Where: Add this at the API gateway or server level (e.g., Nginx, Apache, or your CORS middleware), where other CORS headers are set.

• Required Alongside: This needs to work with your existing CORS setup, such as:

  • Access-Control-Allow-Origin: * (or specific allowed origins)

  • Access-Control-Allow-Methods: GET, POST, OPTIONS (or as applicable)

  • Access-Control-Allow-Headers: Content-Type, Authorization (or as applicable)

• Why: Without this, browsers block access to these custom headers for security, even though they’re present in the response. Exposing them is a standard practice for rate-limited APIs (e.g., GitHub’s X-Rate-Limit-* headers).

Example Response After Change:

HTTP/1.1 200 OK Access-Control-Allow-Origin: * Access-Control-Expose-Headers: vcuBalance, requestsLimit, requestsRemaining, requestsReset, tokensLimit, tokensRemaining, tokensReset vcuBalance: xxxx requestsLimit: 500 requestsRemaining: 499 requestsReset: 1740562500000 tokensLimit: 1000000 tokensRemaining: 999999 tokensReset: 1740562500000

This change would let us read these headers via response.headers.get() in JavaScript, streamlining our request queuing and reducing infrastructure overhead.