diff --git a/api/src/plugins/cors.ts b/api/src/plugins/cors.ts
index 004ef99cd0a..58ed68cdb35 100644
--- a/api/src/plugins/cors.ts
+++ b/api/src/plugins/cors.ts
@@ -24,7 +24,7 @@ const cors: FastifyPluginCallback = (fastify, _options, done) => {
     void reply
       .header(
         'Access-Control-Allow-Headers',
-        'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token'
+        'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token, Coderoad-User-Token, Exam-Environment-Authorization-Token'
       )
       .header('Access-Control-Allow-Credentials', true)
       // These 4 are the only methods we use
diff --git a/api/src/server.test.ts b/api/src/server.test.ts
index 751dae951a8..372d5e26ed3 100644
--- a/api/src/server.test.ts
+++ b/api/src/server.test.ts
@@ -62,7 +62,7 @@ describe('server', () => {
       const res = await superRequest('/', { method: 'GET' });
       expect(res.headers).toMatchObject({
         'access-control-allow-headers':
-          'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token',
+          'Origin, X-Requested-With, Content-Type, Accept, Csrf-Token, Coderoad-User-Token, Exam-Environment-Authorization-Token',
         'access-control-allow-credentials': 'true',
         'access-control-allow-methods': 'GET, PUT, POST, DELETE'
       });