Using the (private) API key in the frontend code (in the browser) is normally discouraged. The reason behind this is that your API key can easily be stolen, and then others can use the API at your cost. This is especially true if the web page you are embedding it into is publicly available on the internet. We suggest you to implement the API calls on your server side (using the API key there), and then your web page can communicate with your server without using the API key (your web page should probably be protected with authentication). This way nobody will know your API key but you (unless your server is hacked, which is much more difficult then extracting the API key from frontend code). This is why we don't include Access-Control-Allow-Origin header in the response, but curl (and other non-browser initiated API call) should work. Let us know if you have further questions.