Leaving Hostaway because of their booking fee?

OwnerRez API - Cross-Origin Request Blocked

Matt M
Dec 17, 2022 12:28 PM
Joined Jan, 2022 2 posts

Hello,

I am trying to create a custom web app for myself that accesses my OwnerRez account via the OR Rest API.  I am trying to access my guest list, however, I receive the following error when making the request:

'Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://api.ownerrez.com/v2/guests. (Reason: CORS request did not succeed). Status code: (null).'

Here is my request from Javascript:

const res = await fetch('https://api.ownerrez.com/v2/guests', {
method: 'GET',
headers: {
'Content-type': 'application/json',
'User-Agent' : 'OR Contacts App',
'Authorization': `Basic ${base64.encode('myemail:myaccesstoken')}`
},
})
const guests = await res.json();
return guests;

 

I am able to successfully retrieve a response at the URI 'https://app.ownerrez.com/api/properties/lookup'. But all other resource requests for both v1.0 and v2.0 URIs return the above response.

Thanks in advance for any help.

-Matt

 

Joel P
Dec 19, 2022 4:18 PM
OR Team Member Joined Oct, 2009 141 posts

Hi Matt,

Are you running your script in a Node.js environment, or directly in a browser? The latter will not work as the metadata associated with your host page will be rejected on our end. A Node.js environment should work fine though, so long as your authentication headers are correct (which appears to be the case).

Matt M
Dec 19, 2022 5:47 PM
Joined Jan, 2022 2 posts

Hey Joel,

Thanks for the response. I am sending the request from the client side/web browser. So I just need to make the API call to OR from my backend (haven't written one yet but it'll probably be node.js) and then build a "wrapper" API to be able to access it from my webapp, correct?

Thanks Again,

Matt

Joel P
Dec 20, 2022 9:11 AM
OR Team Member Joined Oct, 2009 141 posts

Yes. That's how I would recommend doing it. One reason to keep the api calls on the server is to avoid exposing your username or token to any visitors on your site.