Authentication when connecting to GraphQL endpoint from browser extension


I currently have a project using dbAuth, and I am creating a browser extension that sends data to the GraphQL endpoint.

For authentication, I noticed the browser extension reuses the website’s session cookie, so I figured it’s theoretically possible to do the same in my app.

For the browser extension, when inspecting the request in the Network tab, it seems to be sending the same session cookie as regular frontend. However, it’s always getting ApolloError: You don't have permission to do that..

Here are my CORS and cookies settings:

In graphql.ts:

  cors: {
    origin: '*',
    credentials: true,

In functions/auth.ts

    cookie: {
      HttpOnly: true,
      Path: '/',
      SameSite: 'None',
      // Secure: process.env.NODE_ENV !== 'development',
      Secure: true,

      // If you need to allow other domains (besides the api side) access to
      // the dbAuth session cookie:
      // Domain: '',

    cors: {
      origin: '*', // <-- web side domain
      credentials: true,

In the browser extension:

    const httpLink = createHttpLink({
      uri: API_GRAPHQL_URL,
      credentials: 'include',

    const apolloClient = new ApolloClient({
      link: httpLink,
      cache: new InMemoryCache(),

So far, I haven’t been able to figure out why the authentication failed. The server log doesn’t help much. I originally had a Clerk auth setup with the same problem, so I switched to dbAuth since I figured it’s more configurable. But no luck so far.

Any idea what might be the problem?

Thanks in advance!

PS: One thing I noticed in’s session cookie is that it has HostOnly:false. But I can’t quite set it as a valid property in functions/auth.ts’s cookie: settings.