We communicated between the newly added client server and our system using the REST API.
Since I am using a browser, a preflight request was sent from the client server to my system,
An error occurred because the api-key header is not allowed in the cross-origin settings.
From the error content of PegaRules.log, I found that the cross-origin setting is done with AllowAllOrigins.
I would like to add "api-key" to the Allowed methods of AllowAllOrigins and set the domain of the client server to AllowedOrigin from a security point of view.

However, there is a function to authenticate with OpenID Connect separately from the REST API, and the preflight request is also sent with OpenID Connect.
Since it is unknown from which domain the OpenID Connect request will be made, no domain is set in AllowedOrigin.

Therefore, I would like to separate the cross-origin settings for OpenID Connect and REST API. Is it possible?
The conditions for branching the cross-origin setting are as follows.
・In the case of OpenID Connect, only the GUI server is accessed, and in the case of REST API, only the REST server is accessed, so branch the cross-origin settings for each server.
・Because the URL of OpenID Connect and the URL of REST API are different, branch the cross-origin setting for each URL.