I am using path to wire my http only cookies to be sent only to /api not in assets/html requests. The cookie will eventually contain a JWT token I do use as an access token. Consequently I will probably wire my refresh cookie only to be sent to /api/refresh-token and not in other requests.
The client won't get to decide which cookie to send where.
The client won't get to decide which cookie to send where.
Looks like a good pattern to me.