How to handle Cookie based authentication

Using a GraphQL API that performs cookie-based authentication with Stellate requires an extra step: You need to set up a custom domain on Stellate.

The reason for that is just how cookies over HTTP work. When sending a request to log in, the response usually contains a Set-Cookie header that stores some kind of token inside a cookie. However, the browser will by default not accept this cookie for a "cross-origin request", i.e. a request that was sent to a different domain.

Stellate gives you a subdomain where you can access your service out of the box at .stellate.sh (or graphcdn.app for older services), but this is a different domain than your website. To solve this, Stellate allows you to set a custom domain in the settings for your service.

We currently have example codebases for two common authentication libraries available:


Did this page help you?