If you see a CORS error: Keep this page static, but add a tiny server-side proxy on your domain.
If your hosting supports PHP, create /vin/proxy.php with the snippet below and this page will automatically use it.
<?php
// /vin/proxy.php?vin=XXXXXXXXXXXXXXX
header('Content-Type: application/json; charset=utf-8');
header('Access-Control-Allow-Origin: *');
$vin = isset($_GET['vin']) ? strtoupper(preg_replace('/[^A-Z0-9]/', '', $_GET['vin'])) : '';
if (strlen($vin) !== 17) {
http_response_code(400);
echo json_encode(['error' => 'VIN must be 17 characters.']);
exit;
}
$url = "https://vpic.nhtsa.dot.gov/api/vehicles/DecodeVinValuesExtended/{$vin}?format=json";
echo file_get_contents($url);
?>
No PHP? Same idea works with a Netlify/Vercel function or a Cloudflare Worker.