Same Origin Policy woes :(

I am building an eCommerce app that builds html elements into a shop owners online store. These elements will have data that comes from my app's API. I have created a js script to build the DOM elements and ajax to contact my api for the data. The idea being that a shop owner drops this js script into their DOM and thats it. But the browser is not allowing me to access my api because of its same origin policy.

Is the only way to overcome this issue to set Access-Control-Allow-Origin: *? This seems highly insecure to me.

Is my whole approach wrong? What is the best way to deal with to this issue?

Thank you.