Why do my API requests from browser-based applications get blocked by the CORS policy?
The DeepL API enables the seamless and secure integration of translation capabilities into your websites and applications through an HTTP interface. This might tempt you to send requests to the DeepL API from a browser, but you will find that your requests will fail with a HTTP 403 Forbidden status code and an error message “blocked by CORS policy”.
The DeepL API does not allow calls directly from browser-based applications.
Please follow the recommendations below when using the API.
Keep it secret
Requests to third-party APIs from frontend applications would expose your credentials on the web, leaving your account vulnerable to fraud and abuse e.g., racking up high usage costs on a DeepL API Pro plan. Never reveal your API authentication key in publicly accessible code.
If you realize your API authentication key has been exposed, log in to your DeepL account immediately. Under Account details you have the option to generate a new authentication key. This will invalidate your compromised key.
Keep it safe
To safely use the DeepL API on your website or application, you can route your requests through your own backend servers. This keeps your credentials hidden and allows you to specify CORS policies and rate limits as required by your use case. Make sure to secure your backend servers against unauthorized access.
DeepL provides official open-source libraries to help you create these backend implementations, currently available in Python, Node, .NET, PHP and Java. Our API documentation can be found here.