> Obviously you won't be able to share cookies between the site and the api.
I don't know of any API that requires cookies from the site. Usually you use an access token or something similar for an API.
> But you have the additional challenge of having your api domain treated as 3rd party and are thus subject to all the security measures and sandboxing that come with that.
CORS solves most of the pain points. You just need to ensure the API is serving the correct CORS headers.
I don't know of any API that requires cookies from the site. Usually you use an access token or something similar for an API.
> But you have the additional challenge of having your api domain treated as 3rd party and are thus subject to all the security measures and sandboxing that come with that.
CORS solves most of the pain points. You just need to ensure the API is serving the correct CORS headers.