In the backend, these are the flags are's needed
session.response.cookie('refresh_token', refreshToken, {
httpOnly: true,
secure: true,
signed: true,
sameSite: 'none',
maxAge: 30 * 24 * 60 * 60 * 1000, // 30 days
});
And backend also need to allow origin in response header
And then in frontend, set this in your fetch options
credentials: 'include',