CORS allow headers don't include x-api-key
Currently, the CORS Access-Control-Allow-Headers exclude the x-api-key header, which prevents web-based applications from calling the API directly for authorization.
This looked to be an oversight when the x-api-key was added.
Given the current allowed headers include the authentication header, these types of apps were permitted, and there may be apps in production that use the API with the old keys. These apps would have no path to upgrade to the new authentication flow.
The x-api-key should be added to the allow list to bring the auth flow with api-key inline with the previous flow