When using CORS and authentication there are two issues: - The client library doesn't set the `withCredentials` XHR Field to `true` - The agent doesn't respond with a `Access-Control-Allow-Credentials` header. See this [article](https://developer.mozilla.org/en-US/docs/HTTP/Access_control_CORS?redirectlocale=en-US&redirectslug=HTTP_access_control#Requests_with_credentials) for details.