diff --git a/server/server.go b/server/server.go
index 29acb502..1cde55f2 100644
--- a/server/server.go
+++ b/server/server.go
@@ -62,6 +62,8 @@ func NewServer(ctx context.Context, profile *profile.Profile, store *store.Store
 		AllowMethods: []string{http.MethodGet, http.MethodHead, http.MethodPut, http.MethodPatch, http.MethodPost, http.MethodDelete},
 	}))
 
+	e.Use(CORSMiddleware())
+
 	e.Use(middleware.TimeoutWithConfig(middleware.TimeoutConfig{
 		Skipper: timeoutSkipper,
 		Timeout: 30 * time.Second,
@@ -184,3 +186,31 @@ func timeoutSkipper(c echo.Context) bool {
 	// Skip timeout for blob upload which is frequently timed out.
 	return c.Request().Method == http.MethodPost && c.Request().URL.Path == "/api/v1/resource/blob"
 }
+
+func CORSMiddleware() echo.MiddlewareFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			if grpcRequestSkipper(c) {
+				return next(c)
+			}
+
+			r := c.Request()
+			w := c.Response().Writer
+
+			w.Header().Set("Access-Control-Allow-Origin", r.Header.Get("Origin"))
+			w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
+			w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Authorization")
+			w.Header().Set("Access-Control-Allow-Credentials", "true")
+
+			// If it's preflight request, return immediately.
+			if r.Method == "OPTIONS" {
+				w.WriteHeader(http.StatusOK)
+				return nil
+			}
+
+			// Continue processing request.
+			next(c)
+			return nil
+		}
+	}
+}
diff --git a/web/src/grpcweb.ts b/web/src/grpcweb.ts
index 5854b25a..a42ebab9 100644
--- a/web/src/grpcweb.ts
+++ b/web/src/grpcweb.ts
@@ -10,7 +10,7 @@ import { WebhookServiceDefinition } from "./types/proto/api/v2/webhook_service";
 import { WorkspaceServiceDefinition } from "./types/proto/api/v2/workspace_service";
 
 const channel = createChannel(
-  window.location.origin,
+  import.meta.env.VITE_API_BASE_URL || window.location.origin,
   FetchTransport({
     credentials: "include",
   }),
diff --git a/web/src/helpers/api.ts b/web/src/helpers/api.ts
index 6fa1bf85..0d6a26a7 100644
--- a/web/src/helpers/api.ts
+++ b/web/src/helpers/api.ts
@@ -1,6 +1,9 @@
 import axios from "axios";
 import { Resource } from "@/types/proto/api/v2/resource_service";
 
+axios.defaults.baseURL = import.meta.env.VITE_API_BASE_URL || window.location.origin;
+axios.defaults.withCredentials = true;
+
 export function getSystemStatus() {
   return axios.get<SystemStatus>("/api/v1/status");
 }