Cross Origin Requests (CORS)
If your API and client live on different domains, you will need to configure your Rails API to allow cross origin requests. The rack-cors gem can be used to accomplish this.
The following dangerous example will allow cross domain requests from any domain. Make sure to whitelist only the needed domains.

Example rack-cors configuration:

1
# gemfile
2
gem 'rack-cors', :require => 'rack/cors'
3
4
# config/application.rb
5
module YourApp
6
class Application < Rails::Application
7
config.middleware.use Rack::Cors do
8
allow do
9
origins '*'
10
resource '*',
11
headers: :any,
12
expose: ['access-token', 'expiry', 'token-type', 'uid', 'client'],
13
methods: [:get, :post, :options, :delete, :put]
14
end
15
end
16
end
17
end
Copied!
Make extra sure that the Access-Control-Expose-Headers includes access-token, expiry, token-type, uid, and client (as is set in the example above by the:expose param). If your client experiences erroneous 401 responses, this is likely the cause.
CORS may not be possible with older browsers (IE8, IE9). I usually set up a proxy for those browsers. See the ng-token-auth readme or the jToker readme for more information.