diff --git a/api.js b/api.js
index efe3cddb..4541bede 100644
--- a/api.js
+++ b/api.js
@@ -4,6 +4,7 @@ const config = require('wild-config');
 const restify = require('restify');
 const log = require('npmlog');
 const logger = require('restify-logger');
+const corsMiddleware = require('restify-cors-middleware2');
 const UserHandler = require('./lib/user-handler');
 const MailboxHandler = require('./lib/mailbox-handler');
 const MessageHandler = require('./lib/message-handler');
@@ -142,6 +143,15 @@ if (config.api.secure && certOptions.key) {
 
 const server = restify.createServer(serverOptions);
 
+const cors = corsMiddleware({
+    origins: ['*'],
+    allowHeaders: ['X-Access-Token'],
+    allowCredentialsAllOrigins: true
+});
+
+server.pre(cors.preflight);
+server.use(cors.actual);
+
 // disable compression for EventSource response
 // this needs to be called before gzipResponse
 server.use((req, res, next) => {
diff --git a/config/api.toml b/config/api.toml
index 480aefbc..bb395671 100644
--- a/config/api.toml
+++ b/config/api.toml
@@ -8,7 +8,7 @@ secure=false
 
 # If set requires all API calls to have accessToken query argument with that value
 # http://localhost:8080/users?accessToken=somesecretvalue
-#accessToken="somesecretvalue"
+accessToken="somesecretvalue"
 
 [accessControl]
 # If true then require a valid access token to perform API calls
diff --git a/package.json b/package.json
index 0ed68184..093f5691 100644
--- a/package.json
+++ b/package.json
@@ -70,6 +70,7 @@
         "pwnedpasswords": "1.0.5",
         "qrcode": "1.4.4",
         "restify": "8.5.1",
+        "restify-cors-middleware2": "^2.1.2",
         "restify-logger": "2.0.1",
         "saslprep": "1.0.3",
         "seq-index": "1.1.0",