You really should not be using these API credentials for CORS requests which is why that header field is not allowed.
However we do allow the user-api headers in CORS: