Hi,
Unfortunately the management APIs in the gateway are not setup to provide suitable CORS responses, so will not provide the relevant headers for preflight or similar checks.
Can I ask what you are attempting to achieve, as it seems to imply you have the gateway secret stored in a single page app or similar, which is not the best approach for security, as the gateway secret being available on the client end, means users could access any and all admin apis on the gateway. I’m wondering if there is a better way to achieve your ends.
For example if you really needed to access this management API, you could define an API in the gateway that uses the /tyk/apis endpoint as its upstream, then you can enable CORS in the API Definition, and also make use of its authentication controls, and at the same time, not expose the Gateway secret to the client app.
Best Regards,
Chris