Make HTTP POST request from Lightning Component

Salesforce Asked by DarkSkull on January 2, 2022

I want to make a post request to a server, using this code:

    start : function(component, event, helper) {
        var xhr = new XMLHttpRequest();
        var url = "";"POST", url, true);
        xhr.setRequestHeader("Content-Type", "application/json");
        xhr.setRequestHeader("Accept", "application/json");
        xhr.setRequestHeader("token", "xxxxxxxxxxxxxxxxxxxxxxx");
        xhr.onreadystatechange = function () {
            if (xhr.readyState === 4 && xhr.status === 200) {
                var json = JSON.parse(xhr.responseText);
        var data = JSON.stringify({
              "evse_id": "scscrfgdfsgdfsdsfdgfd", 
              "plug_id": 1,
              "id_tag": {
                "tag_id": "test", 
                "tag_type": "UID"
              "provider_id": "QTEDFF",
              "session_id": "123456789"


I added in CSP Trusted Site Definition and in
CORS Whitelist Origins but it shows this error message:

Failed to load Request header field token is not allowed by Access-Control-Allow-Headers in preflight response.

Is it possible to invoke this method only from the Lightning Component or have I to do from an Apex Class?

2 Answers

To connect to an API via AJAX, the API you're calling must be CORS-enabled, and you must follow CORS rules. This stands in contrast to an API callout that you might do via Postman or Apex, which doesn't require CORS. The browser will enforce this. These rules apply to all web applications, not just Salesforce Lightning Components.

Per CORS, the server you're calling has to return a header called "Access-Control-Allow-Headers" with "token" as part of the value in its response. Otherwise you'll be blocked from submitting a header called "token" via AJAX.

The absence of an Access-Control-Allow-Headers header explicitly allowing the token header in the request suggests to me that this API probably has not addressed CORS. The API response is probably missing the Access-Control-Allow-Origin header as well -- which is the main requirement of CORS.

If you can't use Apex, you'll need to get the API provider on-board with enabling CORS. You can refer them to

Answered by Matthew Souther on January 2, 2022

The Error message -->

Failed to load Request header field token is not allowed by Access-Control-Allow-Headers in preflight response.

Is basically telling you that the Server where is hosted does not accept your request, or more specifically, the Token in the request header. Unless you have control over the server, you wont be able to do this request client side.

Answered by glls on January 2, 2022

Add your own answers!

Related Questions

How to get data from dataevents using REST API

1  Asked on January 28, 2021 by user87438


Scroll down is not working report

1  Asked on January 26, 2021 by dearbrother


Wave Analytics — containerId/versionId of a dataset

2  Asked on January 26, 2021 by sitansu-pradhan


Connected App packaging

0  Asked on January 25, 2021 by user85767


AMPSCRIPT: Hide HTML Form after clicking on Submit Button

1  Asked on January 25, 2021 by valarie-simmons


Field update before or after creation of an issue

0  Asked on January 23, 2021 by hermann-our


How to check multiple occurrences in the child records?

1  Asked on January 21, 2021 by mauforsalesforce


Live Agent Credit Card Question – Two Part

1  Asked on January 21, 2021 by stephanie-dorman


Ask a Question

Get help from others!

© 2023 All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP