update

apps/api/src/main.ts

@@ -15,14 +15,16 @@ async function bootstrap() {
   // Security
   app.use(helmet());
 
-  // CORS (веб на 3080)
+  // CORS — allow the web frontend origin (from NEXT_PUBLIC_APP_URL) + localhost for dev
+  const appUrl = configService.get('NEXT_PUBLIC_APP_URL');
   const allowedOrigins = [
-    configService.get('NEXT_PUBLIC_APP_URL'),
-    'http://localhost:3080',
-    'http://localhost:3000',
-  ].filter(Boolean) as string[];
+    ...new Set(
+      [appUrl, 'http://localhost:3080', 'http://localhost:3000'].filter(Boolean) as string[],
+    ),
+  ];
+  console.log('CORS allowed origins:', allowedOrigins);
   app.enableCors({
-    origin: allowedOrigins.length ? allowedOrigins : 'http://localhost:3080',
+    origin: allowedOrigins,
     credentials: true,
   });