diff --git a/packages/relayer/src/app.ts b/packages/relayer/src/app.ts
index 4cb4af9..ace1d9e 100644
--- a/packages/relayer/src/app.ts
+++ b/packages/relayer/src/app.ts
@@ -7,7 +7,7 @@ import {
   notFoundMiddleware,
 } from "./middlewares/index.js";
 import { relayerRouter } from "./routes/index.js";
-import { CONFIG } from "./config/index.js";
+import { CONFIG, CORS_ALLOW_ALL, ALLOWED_DOMAINS } from "./config/index.js";
 
 // Initialize the express app
 const app = express();
@@ -15,16 +15,25 @@ const app = express();
 // Middleware functions
 const parseJsonMiddleware = bodyParser.json();
 
-// CORS config
+// CORS config - allow all origins by default for development and testnet
+const isTestnetRelayer = process.env.NODE_ENV === 'production' && 
+  (process.env.RELAYER_HOST === 'testnet-relayer.privacypools.com' || 
+   process.env.HOST === 'testnet-relayer.privacypools.com');
+
+const shouldAllowAll = CORS_ALLOW_ALL || isTestnetRelayer;
+
 const corsOptions = {
-  origin: CONFIG.cors_allow_all ? '*' : function (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) {
-    if (!origin || CONFIG.allowed_domains.indexOf(origin) !== -1) {
+  origin: shouldAllowAll ? '*' : function (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) {
+    // Allow requests without origin (like mobile apps) or from allowed domains
+    if (!origin || ALLOWED_DOMAINS.indexOf(origin) !== -1) {
       callback(null, true);
     } else {
-      console.log(`Request blocked by CORS middleware: ${origin}. Allowed domains: ${CONFIG.allowed_domains}`);
+      console.log(`Request blocked by CORS middleware: ${origin}. Allowed domains: ${ALLOWED_DOMAINS}`);
       callback(new Error("Not allowed by CORS"));
     }
   },
+  credentials: true,
+  optionsSuccessStatus: 200
 };
 
 
diff --git a/packages/relayer/src/config/schemas.ts b/packages/relayer/src/config/schemas.ts
index 0abeebb..37b6e6e 100644
--- a/packages/relayer/src/config/schemas.ts
+++ b/packages/relayer/src/config/schemas.ts
@@ -64,8 +64,8 @@ export const zChainConfig = z.object({
 // Common configuration schema
 export const zCommonConfig = z.object({
   sqlite_db_path: z.string().transform((p) => path.resolve(p)),
-  cors_allow_all: z.boolean().default(false),
-  allowed_domains: z.array(z.string().url()),
+  cors_allow_all: z.boolean().default(true),
+  allowed_domains: z.array(z.string().url()).default(["https://testnet.privacypools.com, https://prod-privacy-pool-ui.vercel.app, https://staging-privacy-pool-ui.vercel.app, https://dev-privacy-pool-ui.vercel.app, http://localhost:3000"]),
 });
 
 // Default configuration schema