diff --git a/config/initializers/cors.rb b/config/initializers/cors.rb
index 1d516370f..38878d456 100644
--- a/config/initializers/cors.rb
+++ b/config/initializers/cors.rb
@@ -14,6 +14,10 @@ Rails.application.config.middleware.insert_before 0, Rack::Cors do
     if ActiveModel::Type::Boolean.new.cast(ENV.fetch('CW_API_ONLY_SERVER', false)) || Rails.env.development?
       resource '*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
     end
+
+    if ActiveModel::Type::Boolean.new.cast(ENV.fetch('ENABLE_API_CORS', false))
+      resource '/api/*', headers: :any, methods: :any, expose: %w[access-token client uid expiry]
+    end
   end
 end