If you look at the Getting Started > Get Access section of our API Documentation, you will notice an Allowed Domains text field. This is here because in order to use client-side secure tokens, you must whitelist any websites where you will be originating requests to our API in order to ensure there are no CORS errors.
You should list your domain(s) as follows: *.yourdomain.com, *.yourdomain2.com. This ensures that www and non-www subdomains are whitelisted.