CORS Preflight Fails on Identity Hub – OPTIONS Requires Authentication

[AIMENCristianVegaMuniz]

Hi,
We're developing an admin UI that allows us to manage both the EDC Connector (assets, policies, contracts, etc.) and the Identity Hub. For the EDC Connector, we configured the following environment variables to enable CORS:

edc.web.rest.cors.enabled=true
edc.web.rest.cors.origins=http://192.168.1.27
edc.web.rest.cors.headers=Authorization,Content-Type,X-Api-Key
edc.web.rest.cors.methods=GET,POST,PUT,DELETE,OPTIONS

This works well, and CORS is functioning as expected.

We applied a similar setup for the Identity Hub. We've added the CORS configuration, also the super-user seed extension, configured the API key using EDC_IH_API_SUPERUSER_KEY, and we’re able to make requests from Postman and curl successfully.

However, when making requests from the UI (running at http://192.168.1.27), the CORS preflight request (OPTIONS) fails with a 401 Unauthorized, likely because it doesn't include the X-API-Key header. This causes the Identity Hub to reject the preflight before the actual request can be made.

Our question is:

Is there a way to configure the Identity Hub to allow unauthenticated OPTIONS requests (i.e., bypass authentication for preflight), or to support direct browser connectivity without needing an intermediary proxy? What is your recommendation?

Thanks in advance for your help!