Yii2 API Backend with reactjs Frontend authenticate with Bearer

I am working with a Yii2 API and a reactjs fronted. I want to implement authentication in my api such that only authenticated users using the Bear authentication class can access my API functions. I have implemented my Before actions as follows

public $serializer = [
    'class' => 'yii\rest\Serializer',
    'collectionEnvelope' => 'items',

public static function allowedDomains()
    return [
      // '*'   // star allows all domains

public function behaviors()
    return array_merge(parent::behaviors(), [
        // For cross-domain AJAX request
        'corsFilter'  => [
            'class' => \yii\filters\Cors::className(),
            'cors'  => [
                // restrict access to domains:
                'Origin'=> static::allowedDomains(),
                'Access-Control-Request-Method'    => ['POST','GET','PUT','OPTIONS', 'PATCH','DELETE'],
                'Access-Control-Allow-Credentials' => true,
                'Access-Control-Max-Age'           => 3600,// Cache (seconds)
               'Access-Control-Request-Headers' => ['Origin', 'X-Requested-With', 'Content-Type', 'accept', 'Authorization'],
                //'Access-Control-Allow-Credentials' => true,
                'Access-Control-Allow-Origin' => false,
        //authenticate the user before execute the actions
            'class' => CompositeAuth::className(),
            'authMethods' => [
            'except' => ['search'],


In my reactjs frontend, I make an API call to get data from the api using a function call getposts which is

function getposts(userId) {
const requestOptions = {
    method: 'POST',
    headers: {
        'Authorization': 'Bearer ' + user.auth_key,
        'Content-Type': 'application/json'
    body: JSON.stringify(userId)
//console.log('we are about to login');
return fetch(apiConstants.API_POST_URL, requestOptions)
    .then(json => {
        return json;

where auth_key is the authorization key to be used for verification. When I use the chrome browser for debug, I get a 401 error ( Unauthorized). With Access to fetch from { my URL } has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Note, I use that key in postman to get the data I need and it works well. I have changed multiple user keys ( and even pass default values) and they don’t work.

Any heads on or help on this issue will be greatly appreciated. thanks