Vendure Auth Token Not Displayed in Browser But Available in Postman

[rajendranali-talentica]

Hi everyone! 👋

I'm currently working on a Vendure-based project and have encountered an issue related to authentication.

When I perform a login mutation in Postman, I can see the Set-Cookie header and the sessionToken is properly returned and stored. However, when I try the same login mutation from the browser (GraphQL Playground or from a frontend app), the token is not returned or stored, and I remain unauthenticated for further requests.

What I’ve tried so far:

1. Confirmed login mutation works in Postman:

   mutation {
     login(username: "superadmin", password: "superadmin") {
       user {
         id
         identifier
       }
     }
   }

2. Checked DevTools > Network in browser:

   • The Set-Cookie header is not present in the response.

3. Set credentials: 'include' in frontend fetch and Apollo client config:

   fetch('/admin-api', {
     method: 'POST',
     credentials: 'include',
     ...
   });

4. Updated vendure-config.ts with CORS settings:

   apiOptions: {
     cors: {
       origin: 'http://localhost:3000',
       credentials: true,
     },
   }

---

Questions:

• Is there a special config to enable cookie-based auth for browsers?
• Do I need to manually return the token instead of using cookies?
• Any known issues with SameSite or browser cookie policies affecting this?

---

Any help or suggestions from the community would be greatly appreciated 🙏

Thanks in advance!

[sergiodxa]

Are you doing this GQL mutation from the browser? or from a Remix action? If you do it from the action, then you need to grab the set-cookie from the GQL response and add that header to the response sent to the browser

I recommend you to make your API not use cookies, and instead use the Authorization header with a token. Cookies are a browser feature, APIs can be consumed from browsers, from mobile apps, desktop apps, another server, etc.

Another thing, regarding this code:

apiOptions: {
  cors: {
    origin: 'http://localhost:3000',
    credentials: true,
  },
}

If this is server-side, credentials: true does nothing in the server, you have to grab the cookie from the request.headers and manually add it, another reason to use tokens, you just grab the token from a cookie and pass the token to the API client.