The API server forgot to say "other websites are allowed to talk to me."

It needed to tell browsers: Access-Control-Allow-Origin: *

corproxy.io fixes this issue.