diff --git a/.changeset/cors-authorization-header.md b/.changeset/cors-authorization-header.md
new file mode 100644
index 00000000..329743c8
--- /dev/null
+++ b/.changeset/cors-authorization-header.md
@@ -0,0 +1,7 @@
+---
+"@getcirrus/pds": patch
+---
+
+Be explicit with CORS headers so browser-based authenticated XRPC calls work (particularly PDS Moover).
+
+The CORS middleware advertised `Access-Control-Allow-Headers: *`, but this didn't cover the `Authorization` header needed by tools like PDS Moover. As a result, authed cross-origin requests from web clients (eg. PDS Moover's `com.pdsmoover.backup.getRepoStatus`) were blocked at preflight. This is now resolved; all headers are reflected back, just like the Bluesky implementation.
diff --git a/packages/pds/src/index.ts b/packages/pds/src/index.ts
index afebf08b..8b947bcf 100644
--- a/packages/pds/src/index.ts
+++ b/packages/pds/src/index.ts
@@ -84,7 +84,12 @@ app.use(
 	cors({
 		origin: "*",
 		allowMethods: ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
-		allowHeaders: ["*"],
+		// Omit allowHeaders: Hono reflects the browser's
+		// Access-Control-Request-Headers back, matching the reference
+		// atproto PDS (`cors({ maxAge })`). This allows Authorization
+		// (a `*` wildcard wouldn't), DPoP, atproto-proxy,
+		// atproto-accept-labelers, accept-language, x-bsky-topics and
+		// any future header automatically.
 		exposeHeaders: ["Content-Type"],
 		maxAge: 86400,
 	}),