CORS - Cross-Origin Resource Sharing
In the real world, you would not want to add a new user or pair a device with that user manually every time someone buys your product. Therefore you delegate a part of your project authorities to the SDK when you plug your project's API Key in. And so a new user gets to sign up, pair, monitor and control your device through your product's companion app.
Just by initialising your project through your API you can interact with its resources including its devices and datastore. Hence making your API key as your sole security essential poses as a security threat. That's where cross-origin request sharing CORS policies come to play. (CORS) is a that allows a server to indicate any origins other than its own from which a browser should permit loading resources.
So to allow a web app to interact with your project using the Web SDK, you first need to
whitelist the domain name your web app uses via the settings page in the dashboard. You cannot even send a request from your localhost without first whitelisting it.
To read more about CORS click here (opens in a new tab).