Calls POST /patient/softwareintegration with
X-API-Key, then loads the returned
path (${uiUrl}/session_id?id=…&token=…) in an
iframe with camera and microphone permission for recording.
OPTIONS 405 on API Gateway: Browsers send a CORS preflight
(OPTIONS) before POST. Many Google Cloud API Gateway
routes only allow POST, so preflight returns
405 Method Not Allowed and the real request never runs. Fix the
gateway (enable CORS / allow OPTIONS on this path), or use
same-origin dev proxy below so calls go to Express directly.