From 495ff5de2a2e8042644269d43948629fd0bbedb1 Mon Sep 17 00:00:00 2001
From: "fangyaozheng@bytedance.com" <fangyaozheng@bytedance.com>
Date: Mon, 15 Jun 2026 14:40:49 +0800
Subject: [PATCH] fix(examples): allow_origins=["*"] so browsers can call the
 deployed agent

ADK's web server has a CSRF-style Origin guard: state-changing requests
(POST /run_sse, create-session) with an Origin header that isn't allow-listed
get 403 "Forbidden: origin not allowed". The deploy entry called
get_fast_api_app without allow_origins, so the bundled web UI (and any browser)
hit 403 on every turn, while curl (no Origin header) worked. Pass
allow_origins=["*"]; the API is already protected by the gateway's Bearer key.
---
 examples/codex_runtime_on_agentkit/app.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/codex_runtime_on_agentkit/app.py b/examples/codex_runtime_on_agentkit/app.py
index 3bdfaa8f..4aa23c25 100644
--- a/examples/codex_runtime_on_agentkit/app.py
+++ b/examples/codex_runtime_on_agentkit/app.py
@@ -34,7 +34,7 @@
 
 
 def build_app():
-    app = get_fast_api_app(agents_dir=AGENTS_DIR, web=False)
+    app = get_fast_api_app(agents_dir=AGENTS_DIR, allow_origins=["*"], web=False)
 
     # A simple health endpoint for the runtime's liveness checks.
     @app.get("/ping")