diff --git a/public/api-proxy.php b/public/api-proxy.php
new file mode 100644
index 0000000..8e465e5
--- /dev/null
+++ b/public/api-proxy.php
@@ -0,0 +1,98 @@
+<?php
+declare(strict_types=1);
+require_once __DIR__ . '/../src/Calco2ApiClient.php';
+
+// --- Basic CORS (adjust origin to your site/domain) ---
+$origin = $_SERVER['HTTP_ORIGIN'] ?? '';
+$allowedOrigin = preg_match('#^https://(www\.)?your-frontend\.example$#', $origin) ? $origin : '';
+if ($allowedOrigin) {
+    header('Access-Control-Allow-Origin: ' . $allowedOrigin);
+    header('Vary: Origin');
+    header('Access-Control-Allow-Credentials: true');
+}
+header('Access-Control-Allow-Headers: Content-Type');
+header('Access-Control-Allow-Methods: GET, POST, OPTIONS');
+
+// Handle preflight
+if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
+    http_response_code(204);
+    exit;
+}
+
+// --- Rate limit (very simple, per IP). Replace with Redis if needed. ---
+session_start();
+$ip = $_SERVER['REMOTE_ADDR'] ?? 'unknown';
+$bucket = $_SESSION['ratelimit'][$ip] ?? ['count' => 0, 'start' => time()];
+if (time() - $bucket['start'] > 60) { // 60-second window
+    $bucket = ['count' => 0, 'start' => time()];
+}
+$bucket['count']++;
+$_SESSION['ratelimit'][$ip] = $bucket;
+if ($bucket['count'] > 120) { // 120 requests/min/IP
+    http_response_code(429);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Too Many Requests']);
+    exit;
+}
+
+// --- Instantiate API client ---
+$base = getenv('CALCO2_API_BASE') ?: 'https://api.calco2la.to';
+$key  = getenv('CALCO2_API_KEY') ?: '';
+if (!$key) {
+    http_response_code(500);
+    header('Content-Type: application/json');
+    echo json_encode(['error' => 'Server misconfiguration: missing API key']);
+    exit;
+}
+$client = new Calco2ApiClient($base, $key);
+
+// --- Whitelist router ---
+$input = json_decode(file_get_contents('php://input') ?: '[]', true) ?: [];
+$endpoint = $_GET['endpoint'] ?? $input['endpoint'] ?? '';
+$method   = $_SERVER['REQUEST_METHOD'];
+
+header('Content-Type: application/json; charset=utf-8');
+
+try {
+    switch ($endpoint) {
+        case 'airports.search':
+            // GET /?endpoint=airports.search&q=FRA&limit=10
+            $q     = $_GET['q'] ?? '';
+            $limit = isset($_GET['limit']) ? (int)$_GET['limit'] : 20;
+            $offset= isset($_GET['offset']) ? (int)$_GET['offset'] : 0;
+            $data  = $client->searchAirports($q, $limit, $offset);
+            echo json_encode($data);
+            break;
+
+        case 'airports.get':
+            // GET /?endpoint=airports.get&code=FRA
+            $code = $_GET['code'] ?? '';
+            if ($code === '') throw new InvalidArgumentException('Missing airport code');
+            $data = $client->getAirport($code);
+            echo json_encode($data);
+            break;
+
+        case 'flights.estimate':
+            // POST with JSON body: { endpoint: "flights.estimate", params: {...} }
+            if ($method !== 'POST') throw new RuntimeException('Use POST');
+            $params = $input['params'] ?? [];
+            $data = $client->flightEstimate($params);
+            echo json_encode($data);
+            break;
+
+        case 'flights.get':
+            // GET /?endpoint=flights.get&id=abc123
+            $id = $_GET['id'] ?? '';
+            if ($id === '') throw new InvalidArgumentException('Missing flight id');
+            $data = $client->getFlightById($id);
+            echo json_encode($data);
+            break;
+
+        default:
+            http_response_code(404);
+            echo json_encode(['error' => 'Unknown or unsupported endpoint']);
+    }
+} catch (Throwable $e) {
+    http_response_code(400);
+    echo json_encode(['error' => $e->getMessage()]);
+}