I've been working with the web api for the last couple of days. Sending requests using an http client (like insomnia) was fine, but from within a web based application, the request fails with a CORS error.

Taking a look into the devtools showed an error for the preflight request, the browser performs. The OPTIONS request does not include the authorization header, which seems to be required for the endpoint I'm trying to call (/1.2/user/[user-id]/sleep/date/[date].json).

To be sure that the issue is not on my side, I checked the fitbit hosted swagger UI and was met with the same error.

Is this intended behaviour? If it is the case, as far as I can tell, the affected endpoints would be rendered unusable from the browser directly.