GitHub API CORS Policy

- 1 answer

I'm using jQuery and ajax to do a get request to the GitHub API but after I refresh about 3 times, the request starts to fail saying:

Access to XMLHttpRequest at '' from origin 'my domain' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

even though, I've registered my domain as a GitHub OAuth app.

Here are is my javascript:

let repos = [];
const isEnglish = document.documentElement.lang == 'en';
class Repo {
  constructor(name, description, webUrl, apiUrl) {
    this._name = name;
    this._description = description;
    this._webUrl = webUrl;
    this._apiUrl = apiUrl;
    this._languages = [];

  get name() {
    return this._name;

  get description() {
    return this._description;

  get url() {
    return this._webUrl;

  get languages() {
    return this._languages;

  set languages(value) {
    this._languages = value;

  async fetchLanguages() {
    const url = this._apiUrl + '/languages';
    await $.ajax({
      url: url,
      complete: data => {
        this._languages = Object.keys(data.responseJSON);

$(document).ready(async () => {
    url: '',
    complete: xhr => {
      repos = => {
        return new Repo(, json.description, json.html_url, json.url);
      // build up list based on data
      const container = document.getElementById('projectListContainer');
      repos.forEach(repo => {
        const li = document.createElement('li');

        const collapsibleHeader = document.createElement('div');
        const headerText = document.createTextNode(;

        const collapsibleBody = document.createElement('div');

        const description = document.createElement('p');
        const descText = document.createTextNode(repo.description);

        const languages = document.createElement('p'); = '1rem';
        const langTxt = isEnglish ? 'Languages used: ' : 'Talen gebruikt: ';
        const langText = document.createTextNode(langTxt + repo.languages);

        const url = document.createElement('a');
        url.href = repo.url; = '_blank'; = '1rem'; = 'block'; = '12px';
        const urlText = document.createTextNode(repo.url);

    error: () => {
      const container = document.getElementById('projectListContainer');
      const div = document.createElement('div');
      const txt = isEnglish
        ? 'Something went wrong or the request limit is reached, check back later!'
        : 'Er is iets fout gegeaan of het maximum aantal requests is bereikt, kom later terug!';
      const text = document.createTextNode(txt);

const updateTable = () => {
  repos.forEach(repo => {
    const tdLanguages = document.getElementsByClassName(`${}Lang`)[0];
    tdLanguages.innerHTML = repo.languages.join(', ');



For unauthenticated requests, they limit up to 60 requests an hour. You can increase this upto 5000 per hours by authenticating the api requests.

So when I was facing this problem a couple of weeks ago, I created personal_auth_token at gihub and passed this token in the headers and the problem was solved.

To generate personal_auth_token, login to, go to settings -> developers settings -> Personal access tokens and generate one.

Pass this token in headers under Auhtorization: *token*. So in your AJAX request, it could look something like this:

    url: *yourUrl*
    beforeSend: function (xhr) {
        xhr.setRequestHeader('Authorization', *token*));

One thing to note here is DON'T push the code with this token on github if the repository is public. That gets immediately detected and the token is revoked and you're be required to create again one.

For API requests using Basic Authentication or OAuth, you can make up to 5000 requests per hour. Authenticated requests are associated with the authenticated user, regardless of whether Basic Authentication or an OAuth token was used. This means that all OAuth applications authorized by a user share the same quota of 5000 requests per hour when they authenticate with different tokens owned by the same user.

For unauthenticated requests, the rate limit allows for up to 60 requests per hour. Unauthenticated requests are associated with the originating IP address, and not the user making requests.

Another solution that effectively worked in my case was solving the CORS issue with a proxy server. In this, you're just required to append the API request URL to a proxy service provider such as,

var url = ""; //your api request url,
var proxyUrl = `${url}`;

fetch(proxyUrl)... //Make a request with this proxy url to navigate CORS issue