Adding non-simple headers (e.g. X-Token) makes the browser send a preflight OPTIONS before the actual request. Only these request headers are considered simple: Accept, Accept-Language, Content-Language, Content-Type (with restrictions), DPR, Downlink, Save-Data, Viewport-Width, Width.

config.headers['X-Token'] = getToken(); // triggers preflight

Remove custom header or configure server CORS to handle OPTIONS.