I had that issue so I am running a server on
cloudfare workers that is acting like a proxy. My app sends a GET request and the worker sends back the result from OC transpo with No API keys in the url & And it sends it back with the correct CORS header (
strict-origin-when-cross-origin) The free teir is close (If not the same) as OC's API restrictions (ex: Daily call limit).