§ Conventions

CORS

The API allows requests from any origin. You can call it directly from a browser without a proxy, although you should think hard before shipping a plaintext API key to a public client bundle.

Headers returned

httphttp

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Authorization, X-API-Key, Content-Type
Access-Control-Max-Age: 86400
Vary: Origin

Browser usage

For client-only widgets — e.g. a static-site daily-saint card — using the API key directly is fine if you accept that the key is visible to anyone with devtools. Use a free-tier key, restrict its name so you can revoke fast, and assume it's public.

javascriptjavascript

// Browser-safe (key is visible — use a free, rotating key)
const res = await fetch("https://livesofthesaintscalendar.com/api/v1/calendar/today", {
  headers: { Authorization: "Bearer osc_live_…" },
});
const data = await res.json();

Proxying through your backend

For production apps, proxy through your own server so the key stays secret. Cache on the server side and you'll burn fewer requests too.

javascriptjavascript

// Next.js Route Handler — proxy + cache
export async function GET() {
  const res = await fetch("https://livesofthesaintscalendar.com/api/v1/calendar/today", {
    headers: { Authorization: `Bearer ${process.env.LOTS_API_KEY}` },
    next: { revalidate: 600 },
  });
  const data = await res.json();
  return Response.json(data);
}

Preflight

Every endpoint responds to OPTIONS with a 24-hour cached preflight. Browsers will not issue a preflight for simple GET requests without custom headers, so the cost is usually zero.