I've got a particular workflow in mind here and maybe this is not supported by Supertokens -- I figure asking might save me a lot of guessing or frustration. Here's the basic idea: - Client is a desktop (electron app) so it should be possible to build the login stuff into this - There's an API gateway on the backend that sends the API call rest/v1/auth/... to the backend golang service that's based on the generated example code - I would like this backend service to issue (and eventually enrich) a JWT that other backend services will use - Said other backend services are Kotlin/JVM so they'll want to verify and decode the JWT to check that user A is authorized to access the data of company X, but that's fairly straightforward. So that's the goal, broadly, and generally I think I can do it but I'm open to hearing I'm wrong 😅 But here's the problem: I'm stuck in trying to run the backend service on anything other than my dev machine. It's because of CORS issues: because hypothetically client origins could be anywhere, I think I want allow-origin to be

"*"

but that leads to errors about

Credential is not supported if the CORS header ‘Access-Control-Allow-Origin’ is '*'

. And the docs say to add the origin location, but I think I want to allow login from the wider world of clients. Or do I need to rewrite the origin of the request in the API gateway level? Or maybe I'm missing something obvious. Thanks and sorry this is long!

yea. this should work. But i would recommend setting a specific domain list in CORS and also using cookie based auth instead of header based (this setup is more secure)

Thanks for verifying. I was able to make it work by asking the supertokens authorizer app (frontend jwt client) to go through the API and use https with there, even though it lives in the subnet with the backend