The process of building custom applications and tools that interact with Microsoft SharePoint, including SharePoint Online in Microsoft 365.
Regarding the CORS error, the response indicates that the browser's preflight request is being rejected because the endpoint does not return an Access-Control-Allow-Origin header. Since CORS is enforced by the browser, direct client-side requests cannot succeed unless the service explicitly allows the origin.
The Work IQ documentation states that the API uses delegated Microsoft Entra ID authentication, supports On-Behalf-Of (OBO) flows, and does not support application-only authentication.
I couldn't find Microsoft documentation that explicitly confirms support for direct SPFx/browser-based access, nor documentation that states CORS support is planned. The Work IQ API overview describes REST as a conversational API for apps, backends, service-hosted agents, and orchestrators.
Based on the CORS behavior, a practical approach would be to call Work IQ through a backend proxy layer (for example, an Azure Function or App Service) and use delegated/OBO authentication to access the API on behalf of the signed-in user. You can read more at WorkIQ-API-Client/README.md at main · timoleo23/WorkIQ-API-Client · GitHub
One other thing to check is the endpoint URL itself. Microsoft recently updated the Work IQ REST API documentation and the current REST endpoints no longer include the /copilot segment. Using the older endpoint may result in a 404 response.
I hope this information is helpful.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.