[stanleydrew]

Not sure about the "fix", since now users can't persist a logged in browser session?

If you aren't using cookies for API auth, is there not some way to configure your server framework to just ignore them if received?

[joshsharp]

They shouldn't be logging in via the webview within the app anyway, so that's moot.

We are using cookies, as the post says, as a fallback authentication so devs can browse the API from a browser if they're logged in to the site.

[eridius]

Why are devs using a browser to hit API endpoints? There are much better tools. My preferred one is called Paw (https://paw.cloud) but there are others.

[grkvlt]

Because Paw is GBP 39.99 and a browser is free?

[eridius]

There are other free tools too, like Postman (https://www.getpostman.com).

[grkvlt]

True, I actually use Postman in Chrome, forgot to mention that.