Kraken root https://api.twitch.tv/kraken/ returns 400 bad request for OPTIONS, which is sent as part of a cross-origin XHR breaking CORS on the endpoint entirely. This breaks getting the username of a user without user_read in a web application, unless jsonp is used.
Edit: only happens when Client-ID is sent via header.