diff --git a/packages/apis/com.daplie.goldilocks/index.js b/packages/apis/com.daplie.goldilocks/index.js
index 33d2f51..50281c8 100644
--- a/packages/apis/com.daplie.goldilocks/index.js
+++ b/packages/apis/com.daplie.goldilocks/index.js
@@ -19,6 +19,27 @@ module.exports.create = function (deps, conf) {
   });
   */
 
+  function handleCors(req, res, methods) {
+    if (!methods) {
+      methods = ['GET', 'POST'];
+    }
+    if (!Array.isArray(methods)) {
+      methods = [ methods ];
+    }
+
+    res.setHeader('Access-Control-Allow-Origin', req.headers.origin || '*');
+    res.setHeader('Access-Control-Allow-Methods', methods.join(', '));
+    res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
+
+    if (req.method.toUpperCase() !== 'OPTIONS') {
+      return false;
+    }
+
+    res.setHeader('Allow', methods.join(', '));
+    res.end();
+    return true;
+  }
+
   function isAuthorized(req, res, fn) {
     var auth = jwt.decode((req.headers.authorization||'').replace(/^bearer\s+/i, ''));
     if (!auth) {
@@ -42,11 +63,21 @@ module.exports.create = function (deps, conf) {
 
   return {
     init: function (req, res) {
+      if (handleCors(req, res, 'POST')) {
+        return;
+      }
+      if (req.method !== 'POST') {
+        res.statusCode = 405;
+        res.setHeader('Content-Type', 'application/json');
+        res.end(JSON.stringify({ error: { message: 'method '+req.method+' not allowed'}}));
+        return;
+      }
+
       jsonParser(req, res, function () {
 
       return deps.PromiseA.resolve().then(function () {
+        console.log('init POST body', req.body);
 
-        console.log('req.body', req.body);
         var auth = jwt.decode((req.headers.authorization||'').replace(/^bearer\s+/i, ''));
         var token = jwt.decode(req.body.access_token);
         var refresh = jwt.decode(req.body.refresh_token);
@@ -109,7 +140,8 @@ module.exports.create = function (deps, conf) {
           res.setHeader('Content-Type', 'application/json;');
           res.end(JSON.stringify({ success: true }));
         });
-      }, function (err) {
+      })
+      .catch(function (err) {
         res.setHeader('Content-Type', 'application/json;');
         res.end(JSON.stringify({ error: { message: err.message, code: err.code, uri: err.uri } }));
       });
@@ -117,6 +149,9 @@ module.exports.create = function (deps, conf) {
       });
     }
   , tunnel: function (req, res) {
+      if (handleCors(req, res)) {
+        return;
+      }
       isAuthorized(req, res, function () {
         if ('POST' !== req.method) {
           res.setHeader('Content-Type', 'application/json');
@@ -144,6 +179,9 @@ module.exports.create = function (deps, conf) {
       });
     }
   , config: function (req, res) {
+      if (handleCors(req, res)) {
+        return;
+      }
       isAuthorized(req, res, function () {
         if ('POST' !== req.method) {
           res.setHeader('Content-Type', 'application/json;');
@@ -163,6 +201,9 @@ module.exports.create = function (deps, conf) {
       });
     }
   , request: function (req, res) {
+      if (handleCors(req, res, '*')) {
+        return;
+      }
       isAuthorized(req, res, function () {
       jsonParser(req, res, function () {