diff --git a/Cargo.lock b/Cargo.lock
index 9b306d50..8beeb83a 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -26,6 +26,7 @@ dependencies = [
  "axum",
  "axum-auth",
  "axum-macros",
+ "http",
  "http-api-problem",
  "hyper",
  "lazy_static",
diff --git a/agent_api_rest/Cargo.toml b/agent_api_rest/Cargo.toml
index 0b508939..4eb0f49e 100644
--- a/agent_api_rest/Cargo.toml
+++ b/agent_api_rest/Cargo.toml
@@ -16,6 +16,7 @@ axum-macros = "0.3"
 http-api-problem = "0.57"
 hyper = { version = "0.14", features = ["full"] }
 tower-http = { version = "0.3.4", features = ["cors"] }
+http = "0.2"
 serde.workspace = true
 serde_json.workspace = true
 tracing.workspace = true
diff --git a/agent_api_rest/src/lib.rs b/agent_api_rest/src/lib.rs
index d739eb1a..48fdcffe 100644
--- a/agent_api_rest/src/lib.rs
+++ b/agent_api_rest/src/lib.rs
@@ -9,6 +9,7 @@ use axum::{
     Router,
 };
 use tower_http::cors::{Any, CorsLayer};
+use http::header::{AUTHORIZATION, ACCEPT, CONTENT_TYPE};
 use credential_issuer::{
     credential::credential,
     token::token,
@@ -24,7 +25,8 @@ pub const AGGREGATE_ID: &str = "agg-id-F39A0C";
 
 pub fn app(state: ApplicationState<IssuanceData, IssuanceDataView>) -> Router {
     let cors = CorsLayer::new()
-        .allow_methods([Method::GET, Method::POST])
+        .allow_methods([Method::GET, Method::POST, Method::OPTIONS])
+        .allow_headers([AUTHORIZATION, ACCEPT, CONTENT_TYPE])
         .allow_origin(Any);
     Router::new()
         .route("/v1/credentials", post(credentials))