diff --git a/apps/api/src/index.ts b/apps/api/src/index.ts
index db49bc6..27e5277 100644
--- a/apps/api/src/index.ts
+++ b/apps/api/src/index.ts
@@ -8,14 +8,31 @@ import { migrate } from "./db";
 
 await migrate();
 
+const CORS_ORIGIN = process.env.CORS_ORIGINS?.split(",") ?? ["https://pingql.com"];
+
+const CORS_HEADERS = {
+  "access-control-allow-credentials": "true",
+  "access-control-allow-methods": "GET, POST, PUT, PATCH, DELETE, OPTIONS",
+  "access-control-allow-headers": "Content-Type, Authorization",
+};
+
 const app = new Elysia()
   .use(cors({
-    origin: process.env.CORS_ORIGINS?.split(",") ?? ["https://pingql.com"],
+    origin: CORS_ORIGIN,
     credentials: true,
     allowedHeaders: ["Content-Type", "Authorization"],
     methods: ["GET", "POST", "PUT", "PATCH", "DELETE", "OPTIONS"],
     preflight: true,
   }))
+  // Explicit OPTIONS handler for cross-origin preflight
+  .options("/*", ({ request }) => {
+    const origin = request.headers.get("origin") ?? "";
+    const allowed = CORS_ORIGIN.includes(origin) ? origin : CORS_ORIGIN[0];
+    return new Response(null, {
+      status: 204,
+      headers: { ...CORS_HEADERS, "access-control-allow-origin": allowed },
+    });
+  })
   .get("/", () => ({
     name: "PingQL API",
     version: "1",