We have two different API authentication systems, which can be confusing.
These are for the ‘admin API’, which is described on docs.discourse.org. This is not designed to be used from javascript clients.
These are from the “User API” specification, which can be used from a javascript client (and therefore supports CORS). There are more details about this here: User API keys specification