The API supports Cross Origin Resource Sharing (CORS) for AJAX requests. You can read the CORS W3C working draft, or this intro from the HTML 5 Security Guide.
Here's a sample request sent from a browser hitting http://example.org:
https://api.zenginehq.com/v1/workspaces -H "Origin: http://example.org" Origin: http://example.org Access-Control-Request-Header: X-Custom-Header
At present, all domains are currently accepted. OPTIONS preflight requests and their subsequent full requests respond with the following headers:
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: X-Custom-Header
Note that in the near future, the allowed origins will be limited to those registered with us as third-party applications.