diff --git a/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts b/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
index 4ad7a783b7..46540a6e71 100644
--- a/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
+++ b/rivetkit-typescript/packages/rivetkit/src/common/actor-router-consts.ts
@@ -46,6 +46,7 @@ export const WS_TEST_PROTOCOL_PATH = "test_path.";
  * Used for CORS.
  **/
 export const ALLOWED_PUBLIC_HEADERS = [
+	"Authorization",
 	"Content-Type",
 	"User-Agent",
 	HEADER_ACTOR_QUERY,
diff --git a/rivetkit-typescript/packages/rivetkit/src/common/cors.ts b/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
index 3b63012fcc..2300f1fb18 100644
--- a/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
+++ b/rivetkit-typescript/packages/rivetkit/src/common/cors.ts
@@ -1,4 +1,7 @@
 import type { MiddlewareHandler } from "hono";
+import { ALLOWED_PUBLIC_HEADERS } from "@/common/actor-router-consts";
+
+const DEFAULT_ALLOWED_HEADERS = ALLOWED_PUBLIC_HEADERS.join(", ");
 
 /**
  * Simple CORS middleware that matches the gateway behavior.
@@ -18,7 +21,8 @@ export const cors = (): MiddlewareHandler => {
 		// Handle preflight OPTIONS request
 		if (c.req.method === "OPTIONS") {
 			const requestHeaders =
-				c.req.header("access-control-request-headers") || "*";
+				c.req.header("access-control-request-headers") ??
+				DEFAULT_ALLOWED_HEADERS;
 
 			c.header("access-control-allow-origin", origin);
 			c.header("access-control-allow-credentials", "true");