Xano Documentation
Ask or search…
K

API Groups

Folders for your API endpoints with unique documentation and BaseURLs
API Groups allow you to organize your API endpoints into logical "Folders". Each of these API endpoints has its own Documentation and unique BaseURL.
Xano Creates your CRUD Operations in an API Group called Default
The API Group My First API Group is a group that contains CRUD API Endpoints to modify data in the Database Table My First Database Table.

What are API Groups used for

  • Visually separating your API Endpoints
  • Managing access between different types of groups (General vs Admin API Endpoints)
  • Separating out API Endpoints from Marketplace Extensions
  • Managing different versions of an API endpoint
Clicking inside an API Group

CORS Management

Cross-Origin Resource Sharing (CORS) is a security feature in web browsers that controls how web pages in one domain can request resources from another domain. It's a mechanism built into modern web browsers to enable controlled access to resources located outside of a given domain.
Browsers will sometimes send what is known as a 'pre-flight request' via the OPTIONS method to your API endpoints to retrieve the CORS parameters.
By default, Xano employs the following CORS options:
Allow Credentials True
Allow Methods *
Allow Origins *
Allow Headers *
Max Age 1 hour
In Xano, you have the ability to define CORS options for each individual API group if the default options do not meet your needs.
Access the CORS Management panel from the API group you'd like to modify by clicking the icon in the top-right corner.
Accessing CORS Management
For each API Group, you can change one or more of the following options related to CORS.
  • Allow Credentials
    • Enable this to allow your APIs in the selected API group to accept requests that contain credentials, such as cookies or authentication tokens.
  • Allow Methods
    • Modify this setting to only allow certain methods to be used to call APIs in the selected API group.
  • Allow Origins
    • Define the domains that requests to your APIs can come from.
  • Allow Headers
    • Define what additional headers are allowed when calling your APIs in the selected API group.
  • Max Age
    • Define how long the browser can use the permissions returned via the pre-flight request before it is necessary to ask for new permissions.
You can also set CORS to 'disabled', meaning that any requests requiring specific CORS parameters will be denied.
Last modified 2mo ago