CORS (Cross-Origin Resource Sharing) is the browser security model that gates which origins can read responses from cross-origin XHR / fetch requests. By default the browser blocks reading the response body of a request to a different origin; CORS provides the opt-in via response headers from the cross-origin server.
Key headers: Access-Control-Allow-Origin (which origins can read; * for public APIs, an explicit origin for credential-bearing endpoints), Access-Control-Allow-Methods (which HTTP methods), Access-Control-Allow-Headers (which custom request headers), and Access-Control-Allow-Credentials: true (whether cookies/Authorization headers are forwarded -- requires a specific origin, not *).
Browsers send a "preflight" OPTIONS request before any non-simple cross-origin request to check the policy. CORS only affects what JavaScript in the browser can read -- it's not server-side authorisation. A CORS misconfiguration is not the same as an open API.