I built an api for an invoice app thats not live yet. The app was to sit on example.com and the api on api.example.com. And API calls were to be made with Javascript. Javascript has the

The policy permits scripts running on pages originating from the same site – a combination of scheme, hostname, and port number[1] – to access each other’s DOM with no specific restrictions, but prevents access to DOM on different sites

Basically what that means is you App cant talk to your API unless they are on the same domain. So the solution if you are using nginx is below ( Proxy Pass ):

location /api {
rewrite /api(.*) /$1 break;
proxy_pass http://api.example.com;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

So now instead of a call to api.example.com/users you make a call to example.com/api/users.