CORS Cookie

In the backend, these are the flags are's needed

session.response.cookie('refresh_token', refreshToken, {
    httpOnly: true,
    secure: true,
    signed: true,
    sameSite: 'none',
    maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
});

And backend also need to allow origin in response header

And then in frontend, set this in your fetch options

credentials: 'include',