diff --git a/src/docs/src/KV.md b/src/docs/src/KV.md
index 9d0e885d37..32aa6d18ed 100644
--- a/src/docs/src/KV.md
+++ b/src/docs/src/KV.md
@@ -9,6 +9,8 @@ It supports various operations such as set, get, delete, list keys, increment an
Puter.js handles all the infrastructure for you, so you don't need to set up servers, handle scaling, or manage backups. And thanks to the [User-Pays Model](/user-pays-model/), you don't have to worry about storage, read, or write costs, as users of your application cover their own usage.
+
diff --git a/src/docs/src/Workers.md b/src/docs/src/Workers.md
index 4300e6388c..707aa60876 100644
--- a/src/docs/src/Workers.md
+++ b/src/docs/src/Workers.md
@@ -5,9 +5,11 @@ description: Run and manage serverless JavaScript funcitons in the cloud.
Serverless Workers are serverless functions that run JavaScript code in the cloud.
+Workers run server-side, which makes them a good fit for centralized application data and backend logic. See [Integration with Puter.js](/Workers/router/#integration-with-puterjs) for how worker code accesses Puter resources.
+
## Router
-Workers use a router-based system to handle HTTP requests and can integrate with Puter's cloud services like file storage, key-value databases, and AI APIs. Workers are perfect for building backend services, REST APIs, webhooks, and data processing pipelines.
+Workers use a router-based system to handle HTTP requests and can integrate with Puter's cloud services like file storage, key-value databases, and AI APIs. Workers are perfect for building backend services, REST APIs, webhooks, shared data stores, and data processing pipelines.
### Examples
diff --git a/src/docs/src/Workers/router.md b/src/docs/src/Workers/router.md
index 455d3616e9..fc99079051 100644
--- a/src/docs/src/Workers/router.md
+++ b/src/docs/src/Workers/router.md
@@ -99,7 +99,7 @@ router.options("/*path", async () => {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, POST, PUT, DELETE, OPTIONS",
- "Access-Control-Allow-Headers": "Content-Type, Authorization",
+ "Access-Control-Allow-Headers": "Content-Type, Authorization, puter-auth",
},
});
});
@@ -107,6 +107,8 @@ router.options("/*path", async () => {
This answers the preflight for any path with the CORS headers the browser expects, so your other routes work cross-origin.
+
The
puter-auth header is important: when you call your worker with
puter.workers.exec(), it attaches the user's Puter token in a
puter-auth header so the worker can act on the calling user's behalf (this is what populates
user.puter). Because that's a custom header, the browser runs a preflight first — so
puter-auth must be listed in
Access-Control-Allow-Headers, otherwise the preflight fails and the request never reaches your worker.
+
If you need different CORS rules per endpoint — for example, restricting the allowed methods or headers on a specific route — define an `OPTIONS` handler on that individual path instead of using the wildcard.
## Examples
diff --git a/src/docs/src/security.md b/src/docs/src/security.md
index aa3b379e82..d88068ff72 100755
--- a/src/docs/src/security.md
+++ b/src/docs/src/security.md
@@ -28,6 +28,8 @@ Once the user has been authenticated, your app will get a few things by default:
Apps are sandboxed by default! Apps are not able to access any files, directories, or data outside of their own directory and key-value store within a user's account. This is to ensure that apps can't access any data or resources that they shouldn't have access to.
+
Need to share data across users? Because each user's storage lives in their own account, one user can't see another's data. To keep a single, centralized store that every user reads from and writes to, use a
Serverless Worker — its code can act on the worker owner's resources, giving all users one shared backend.
+
Your app will also be able to use the following services by default:
- **AI**: Your app will be able to use the AI services provided by Puter.com. This includes chat, txt2img, img2txt, and more.