Development Guides
Development of MiniApps is not rocket science! Here are some guides to help you.
CORS Guidelines


MiniApps are hosted by the SDKs in WebViews under a certain scheme structure which may be outside the list of secure origins. This may result in some of the API calls to be blocked, especially the ones which require the counterpart servers to understand that the requests are coming from the Rakuten MiniApp environment.

Our Recommendation

Since CORS is tightly coupled with security, we recommend:

Option #1: Update Your Server’s CORS Policy

This is the preferred solution, if it is possible

for you to make these changes. You should update your server so that the Access-Control-Allow-Origin header will allow the URL used by your MiniApp.

Each MiniApp runs from a unique URL based on the RakutenMini App ID. Currently the Android and iOS platforms each use a different URL for the MiniApp, so you will need to allow the URLs of both. On your server, you can read the 'Origin' header on the request, and if the origin matches one of the MiniApp URLs, then you should attach the appropriate Access-Control-Allow-Origin header in your response.

The following shows the header that should be returned to each platform:


iOS Platform Access-Control-Allow-Origin: mscheme.YOUR_MINI_APP_ID://miniapp
Android Platform Access-Control-Allow-Origin: https://mscheme.YOUR_MINI_APP_ID


Note: You can find your MiniApp ID in the RAS Portal


Option #2: Use a Proxy Server

It is possible for you to route your requests through a proxy server which is encompassed in their trust/secure zone of their ecosystem when their Rakuten MiniApps need to access external APIs.

Using proxy servers

It is relatively easy to bake out a simple proxy server using cors node package (while making use of bootstrappers like express-generator-typescript and packages like proxy-middleware) which can be then published on a cloud platform of your choice based on your enterprise infrastructure.

move to top