• r

    rp

    7 months ago
    If yes, is the refresh API being called at all by the frontend?
  • teebot

    teebot

    7 months ago
    indeed I meant refresh No, my frontend does not expressly call the refresh API
  • r

    rp

    7 months ago
    hmm. So the supertokens.init is called on the frontend on app start, correct?
  • teebot

    teebot

    7 months ago
    yes
  • r

    rp

    7 months ago
    And do you have your own custom fetch interceptors?
  • teebot

    teebot

    7 months ago
    I did not set any custom interceptor and we don't use axios just regular fetch
  • r

    rp

    7 months ago
    alright! Do the regular API calls to your application's APIs (that do succeed) have a header like
    rid: "anti-csrf"
    in them?
  • teebot

    teebot

    7 months ago
    I'm checking that
  • teebot

    teebot

    7 months ago
    we use helmet so maybe it is set by that middleware
  • r

    rp

    7 months ago
    hmm. If the fetch interceptor provided by us is getting applied as expected, all requests to your app's APIs should have
    rid: "anti-csrf"
    in it.