docs: clarify browser completion pattern and CORS for wait tokens

isshaddad · isshaddad · commit cc792fd808b1 · 2026-04-09T11:03:43.000-04:00
diff --git a/docs/wait-for-token.mdx b/docs/wait-for-token.mdx
@@ -8,7 +8,10 @@ Waitpoint tokens pause task runs until you complete the token. They're commonly
 You can complete a token using the SDK or by making a POST request to the token's URL.
 
 <Note>
-  If you're waiting for data from an [input stream](/tasks/streams#input-streams), use [`inputStream.wait()`](/tasks/streams#wait--suspend-until-data-arrives) instead — it uses waitpoint tokens internally but provides a simpler API with full type safety from your stream definition.
+  If you're waiting for data from an [input stream](/tasks/streams#input-streams), use
+  [`inputStream.wait()`](/tasks/streams#wait--suspend-until-data-arrives) instead — it uses
+  waitpoint tokens internally but provides a simpler API with full type safety from your stream
+  definition.
 </Note>
 
 ## Usage
@@ -54,6 +57,38 @@ await wait.completeToken<ApprovalToken>(tokenId, {
 });
 ```
 
+## Completing from the browser
+
+The `publicAccessToken` returned by `wait.createToken()` is scoped to that specific waitpoint and intended for client-side completion. The completion endpoint has CORS enabled, so you can call it directly from client-side code without proxying through your backend.
+
+<Steps>
+  <Step title="Create the token in your backend">
+    ```ts
+    const token = await wait.createToken({ timeout: "10m" });
+    // Pass token.id and token.publicAccessToken to your frontend
+    ```
+  </Step>
+  <Step title="Complete the token from the browser">
+    ```ts
+    await fetch(`https://api.trigger.dev/api/v1/waitpoints/tokens/${tokenId}/complete`, {
+      method: "POST",
+      headers: {
+        "Authorization": `Bearer ${publicAccessToken}`,
+        "Content-Type": "application/json",
+      },
+      body: JSON.stringify({ data: { status: "approved" } }),
+    });
+    ```
+  </Step>
+</Steps>
+
+<Warning>
+  The `token.url` (webhook callback URL) is designed for server-to-server use and does **not** have
+  CORS headers. Don't call it from the browser — use the pattern above instead.
+</Warning>
+
+## Completing via webhook callback
+
 Or you can make an HTTP POST request to the `url` it returns. This is an HTTP callback:
 
 ```ts
