For proper cross browser interaction CORS should be implemented.
Also the HTTP OPTIONS request header currently gives the wrong feedback. It shoud be:
200 OK
Allow: HEAD,GET,PUT,DELETE,OPTIONS
And nothing else
And last but not least, if you specify a content type header when you do a Post to your api (no matter what type), you always get an error:
{
"msg": "Unallowed API key!",
"errno": 512,
"status": "200 OK",
"timing": "0.0986s"
}
If you don't specify a header, it works (strange!)