Cross-site requests

Cross site requests are allowed for the following endpoints:

Except for the sustainability API, all of the above endpoints don’t allow you to pass credentials in cross-site requests. In other words, these API endpoints allow you to access public information only.

On a technical level, this is achieved by implementing the CORS standard, which is supported by all major browsers. We implement it such way that it strictly match the intention of the API endpoint.


On Read the Docs Community, our session cookies have the SameSite attribute set to None, this means they can be sent in cross site requests. This is needed for our sustainability API only, to not show ads if the current user is a Gold User. All resources in Read the Docs Community are public, you don’t need to pass cookies to make use of our allowed APIs from other sites.

On Read the Docs for Business, our session cookies have the SameSite attribute set to Lax. This means that browsers will not include them in cross site requests. If you need to have access to versions that the current user has permissions over, you can make use of our proxied APIs, they can be accessed from docs domains with the /_/ prefix. For example, you can make use of our search API from <your-docs-domain>/_/api/v2/search/.