The error means the server is returning an invalid or malformed Access-Control-Allow-Headers value in the OPTIONS (preflight) response.
Even a small issue like a trailing comma, duplicate header, or empty value will cause the browser to reject it.
What to check:
Inspect the failing OPTIONS response in DevTools and compare with Dev.
Look for:
✔ trailing commas
✔ blank header values
✔ duplicated Access-Control-Allow-Headers
✔ different headers added by WSO2 / Okta / Apache
It’s almost always a formatting issue in the CORS headers on that environment.