I Discovered a Public API That Allows CORS and Built a Business Around It
Last week, I stumbled onto something that completely changed how I think about API infrastructure.
I was debugging a frontend project and noticed something strange in the browser network tab. A request to DeepSeek API was returning data directly — no server, no proxy, no backend. Just pure JavaScript fetch() from localhost hitting an external API endpoint.
My first reaction was: This cannot be right. This is a security vulnerability.
But then I started digging deeper.
The Discovery That Started Everything
For years, I have been building API proxies. Want to call OpenAI from a React app? You need a backend. Want to query Anthropic? Serverless function. Calling any major LLM provider from the browser has always required some form of server-side intermediary.
Why? CORS (Cross-Origin Resource Sharing).
Browsers block cross-origin requests by default. If your frontend at example.com tries to fetch() an API at api.provider.com, that provider must explicitly allow it by sending the right headers:
Access-Control-Allow-Origin: *
Most AI APIs do not do this. They want you to route traffic through their SDKs, their official clients, their sanctioned server-side implementations.
But DeepSeek? They ship with Access-Control-Allow-Origin: *.
I tested it. Multiple times. From different domains. Different browsers.
It works.
// This actually works in the browser
const response = await fetch("https://api.deepseek.com/chat/completions", {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": "Bearer YOUR_DEEPSEEK_KEY"
},
body: JSON.stringify({
model: "deepseek-chat",
messages: [{ role: "user", content: "Hello!" }]
})
});
No proxy. No backend. No Node.js server. Just a direct browser call.
Why This Changes the Game
The implications are massive.
No Server = No Infrastructure Costs
Think about what you do not need anymore:
- No backend servers to maintain
- No Lambda functions to cold-start
- No Docker containers to deploy
- No DevOps pipeline for your proxy layer
Your frontend is the application. The API is your backend.
Speed of Development = Exponential
Want to prototype an AI-powered tool? You can do it in a single HTML file. No npm install express. No serverless deploy. Just vanilla JS and an API key.
Scalability = Different Problem
You are no longer scaling your infrastructure. You are offloading that to the API provider. Their CDN, their rate limits, their uptime — that is their problem now.
The Zero-Backend API Proxy Pattern
So what does a zero-backend architecture actually look like in practice?
// Frontend-only API proxy
class SimpleProxy {
constructor(apiEndpoint, apiKey) {
this.endpoint = apiEndpoint;
this.key = apiKey;
}
async query(messages) {
return fetch(this.endpoint, {
method: "POST",
headers: {
"Content-Type": "application/json",
"Authorization": `Bearer ${this.key}`
},
body: JSON.stringify({ model: "deepseek-chat", messages })
}).then(r => r.json());
}
}
That is it. 15 lines of code. You are proxying.
But real applications need more:
- Rate limiting — Protect against quota exhaustion
- Caching — Reduce redundant API calls
- Fallback — Switch providers when one goes down
- Analytics — Track usage patterns
- Key rotation — Security without downtime
That is the gap I identified. That is where the opportunity lives.
The Compute Arbitrage Opportunity
Here is where things get interesting from a business perspective.
Different AI providers charge dramatically different prices for equivalent capabilities:
| Provider | Input Price | Output Price |
|---|---|---|
| OpenAI GPT-4o | $2.50/1M tokens | $10.00/1M tokens |
| Anthropic Claude 3.5 | $3.00/1M tokens | $15.00/1M tokens |
| DeepSeek V3 | $0.27/1M tokens | $1.10/1M tokens |
DeepSeek is roughly 10x cheaper than the American competitors for comparable quality.
Now add CORS into the equation: You can access these prices directly from the browser.
This creates a fascinating arbitrage opportunity. Build a frontend that routes requests to the cheapest available provider, cache responses intelligently, and you have:
- A service that costs almost nothing to run
- A pricing model that undercuts the incumbents
- A developer experience that requires zero infrastructure
Introducing NeuralBridge
That is exactly what I built: NeuralBridge
NeuralBridge is an AI-Operated API — a category we invented for tools that operate entirely in the infrastructure layer, routing and optimizing API calls without requiring backend implementation from developers.
Our core philosophy:
- Zero backend required — Direct browser-to-API routing for CORS-enabled providers
- Intelligent routing — Automatic provider selection based on cost, latency, and availability
- Developer-first design — Simple SDK, clear documentation, sandboxed testing
The DeepSeek CORS discovery is central to our architecture. It proved that the no-backend future is not theoretical — it is already happening.
What This Means for Developers
If you are building AI-powered applications today, here is the strategic insight:
Stop building backend infrastructure for API routing.
Instead:
- Audit your providers — Check which ones support CORS. DeepSeek does. Others are starting to.
- Design for fallbacks — When your primary provider fails or rate-limits, have a CORS-friendly backup.
- Think in routing layers — Your backend can be a thin routing layer instead of a full application server.
- Watch the arbitrage — Monitor pricing across providers. The market is moving fast.
The frontend is eating the backend. CORS is the permission slip.
The Future is Already Here
We tend to think of infrastructure as something you must build. Servers, databases, APIs, proxies — these are just tools. And sometimes, the best tool is no tool at all.
DeepSeek CORS policy might have been an oversight. Or maybe they understood something the industry has not fully grasped yet: the future of API consumption is direct.
I am building on that insight. The results speak for themselves.
Ready to explore CORS-enabled API routing?
Get your free API key and test it yourself at neuralbridge-api.surge.sh
Building the zero-backend future, one fetch() at a time.
Top comments (0)