How to get Access to work with an API that requires CORS


Is it possible to enable Cloudflare Access on an API (paired with Argo) if the frontend is also on the same access account?

I have a web frontend (static site) that connects to an internally written API server. Running these in K8S, i’d like to use the argo ingress controller to restrict access to this web site (and api) to my users who have authenticated with the directory provider.

This works for the frontend, but the API needs to respond to CORS requests (i’m logged in, so I would expect this to accept my session without requiring a login). But it returns a 302 to the OPTIONS request.

Is this a supported method of enabling Argo + Access on an internal API / Site? If not, is there a better option?