Vendure Auth Token Not Displayed in Browser But Available in Postman

[rajendranali-talentica]

Hi everyone! 👋

I'm currently working on a Vendure-based project and have encountered an issue related to authentication.

When I perform a login mutation in Postman, I can see the Set-Cookie header and the sessionToken is properly returned and stored. However, when I try the same login mutation from the browser (GraphQL Playground or from a frontend app), the token is not returned or stored, and I remain unauthenticated for further requests.

---

What I’ve tried so far:

1. Confirmed login mutation works in Postman:

   mutation {
     login(username: "superadmin", password: "superadmin") {
       user {
         id
         identifier
       }
     }
   }

2. Checked DevTools > Network in browser:

   • The Set-Cookie header is not present in the response.

3. Set credentials: 'include' in frontend fetch and Apollo client config:

   fetch('/admin-api', {
     method: 'POST',
     credentials: 'include',
     ...
   });

4. Updated vendure-config.ts with CORS settings:

   apiOptions: {
     cors: {
       origin: 'http://localhost:3000',
       credentials: true,
     },
   }

---

Questions:

• Is there a special config to enable cookie-based auth for browsers?
• Do I need to manually return the token instead of using cookies?
• Any known issues with SameSite or browser cookie policies affecting this?

---

Any help or suggestions from the community would be greatly appreciated 🙏

Thanks in advance!