Add access-control-allow-headers: "...Authorization"
I might be missing something, but... When retrieving data from the public API using the method described at , you first fetch an access_token, which then has to be passed in the Authorization header for the subsequent request. Since that is not a CORS-safelisted request-header, though, the browser first performs an OPTIONS request.
The response does include an "access-control-allow-headers" header, but this doesn't whitelist the Authorization header, upon which the browser blocks the actual request.
Thus, it'd be nice if that could be added, at least for the /orcid-bio/ request.
Thanks for your suggestion to improve the ORCID Registry.
ORCID does not offer a secure method to exchange credentials via the browser, which is why we limit its use. We therefore shall mark this idea as declined.
We would suggest instead that you exchange credentials in a server-to-server setting. You are welcome to join the ORCID API Users Group, a public listserv for all users of the ORCID API as well as members of our development and community teams, to discuss some ideas on how to do this (node.Js). Join us at https://groups.google.com/group/orcid-api-users
ORCID Community Team