Here are a few common reasons why this would occur:
You don’t have a static IP address. Please ask your server provider how to acquire or set a static IP in your environment if you are not sure.
You are not passing in a correct Bearer JWT token in the Authorization header. If you do not properly authorize, you may see a CORS error in the console.
You are calling our APIs client-side and not server-side. If you inspect the page in the developer console of your browser and can see the authentication headers and API calls in the network tab, then the client/browser is making the calls. Not only is this a security risk to expose credentials, user authentication, passwords, and API calls, but you also would need all visitors to the app to have their IPs whitelisted, since calls will be forwarded from their networks.