Yes, from the browser. Sorry if I was not clear. This is all happening from another webapp, user isn’t logged in and no iframing of discourse. the request originates from a browser passing the apikey as request Params
My understanding of apikeys is Once we have apikey of user, we can act on behalf of them from anywhere even from a console/terminal (curl or equivalent). No more CORS