Cannot send requests to Work IQ REST APIs from SPFx application

Pete Heidler 0 Reputation points
2026-07-01T22:33:57.1666667+00:00

Requests made to Work IQ REST APIs fail due to CORS:

Access to fetch at 'https://workiq.svc.cloud.microsoft/rest/beta/copilot/conversations' from origin '{tenant_url}' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Will the Work IQ Rest API add CORS headers so that requests can be made from a browser? If requests must come from another source, what is the suggested authentication flow for SharePoint Framework applications to utilize these APIs?

Thanks.

Microsoft 365 and Office | SharePoint | Development
0 comments No comments

1 answer

Sort by: Most helpful
  1. Teddie-D 18,700 Reputation points Microsoft External Staff Moderator
    2026-07-02T00:25:29.2166667+00:00

    Hi @Pete Heidler

    Regarding the CORS error, the response indicates that the browser's preflight request is being rejected because the endpoint does not return an Access-Control-Allow-Origin header. Since CORS is enforced by the browser, direct client-side requests cannot succeed unless the service explicitly allows the origin.

    The Work IQ documentation states that the API uses delegated Microsoft Entra ID authentication, supports On-Behalf-Of (OBO) flows, and does not support application-only authentication.

    I couldn't find Microsoft documentation that explicitly confirms support for direct SPFx/browser-based access, nor documentation that states CORS support is planned. The Work IQ API overview describes REST as a conversational API for apps, backends, service-hosted agents, and orchestrators.

    Based on the CORS behavior, a practical approach would be to call Work IQ through a backend proxy layer (for example, an Azure Function or App Service) and use delegated/OBO authentication to access the API on behalf of the signed-in user. You can read more at WorkIQ-API-Client/README.md at main · timoleo23/WorkIQ-API-Client · GitHub

    One other thing to check is the endpoint URL itself. Microsoft recently updated the Work IQ REST API documentation and the current REST endpoints no longer include the /copilot segment. Using the older endpoint may result in a 404 response.

    I hope this information is helpful.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".       

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.  

    Was this answer helpful?

    0 comments No comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.