Knowledge Drop

400 Bad Request response from API

Last tested: Oct 19, 2020


We most commonly see this response when an API consumer is incorrectly using the origin header in an API call.

CORS is only available when using the new experimental API 4.0. As such, any request with an origin header to /api/3.0/ or /api/3.1 or /api/4.0/login will fail no matter what, and additionally, any valid request to api/4.0/ will require that its origin header value is also in the Embedded Domain Whitelist.

How do I fix it?

The origin header will not work in any of these circumstances:

  • Call is made to API 3.0 or 3.1, or
  • Call is made to api/4.0/login, or
  • The domain used in the origin header is not on the Embedded Domain Whitelist.

Further Reading

We explicitly prevent CORS requests to /api/4.0/login - the idea is the Javascript running in the browser should be doing the OAuth workflow instead, as storing client_id/secret in JS is potentially dangerous. So that means you will need to register an OAuth app as described in the article in order to do OAuth, then once you've registered your app there is automatic support for the OAuth workflow in our TS SDK.

(DOCS) More info on Looker + CORS here


This content is subject to limited support.                



0 replies

Be the first to reply!