The B2C Checkout endpoint has the option to use modern browsers' Cross-Origin Resource Sharing (CORS) support to allow a checkout call from a safelisted domain using a publishable key. 

This support allows ACME clients to build custom integrations that make the checkout call directly from the JavaScript rather than going through their backend.

Typically, an online ticketing integration follows a flow similar to this:

  1. A user adds items to a shopping cart via the client’s frontend

  2. The information collected on the frontend is passed to the client’s backend for processing

  3. API calls are made from the client’s backend to the ACME APIs

  4. The client’s backend returns the API responses to their frontend

  5. The information is presented to the user via the client’s frontend

The CORS checkout allows you to bypass sending payment information through your backend and can be used to make the checkout call directly from your JavaScript.  All other calls would still be made via your backend using a similar flow as above.


Configuration Requirements

The following configuration items must be completed in order to enable CORS checkout.

  • Safelisted domains must be registered with ACME. Only calls from these domains will be allowed to complete a checkout and only one domain can be used per environment.

  • ACME must associate a publishable key with an existing user.  

Tip: When creating a user for an integration, we recommend using a 1:1 user to integration relationship.  Ex. online_ticketing_api_user, crm_integration_user, etc.  This will help you troubleshoot integrations should you ever have an issue.

To get started, please refer to Requesting an API Key.


Note: The Safelisting process can take up to two weeks to complete.


Checkout Call

The CORS checkout endpoint /v2/b2c/cors/checkout uses the same format and payload as the normal B2C checkout.  Refer to B2C Checkout for more information.

The following headers are required for a CORS checkout:

  • x-acme-pub-api-key

  • x-b2c-tenant-id

  • x-acme-request-uuid

Refer to Working with ACME's APIs for more information about headers and examples


WARNING: You should never send your normal API key (x-acme-api-key) or a session key (x-acme-session) in a call directly from your frontend to ACME’s backend as this is like publishing your ACME username and password.  Any integrations found to be using exposed API keys will be deactivated by ACME.