CORS is not required when the api domain is the same as the website domain (as is usually the case in a nextjs app). But in your case, the api domain is

https://blah-blah.execute-api.blah-blah.amazonaws.com

, and the website domain (during dev) is

http://localhost:3000

. So you need to deal with CORS.