"Try It" with Cookie param + CORS

Hey there, sorry if this isn’t the correct place to be asking this question.

We have an api that’s secured via cookies. I’d like to be able to use the “Try It” feature in the browser, but I’m hitting issues with getting requests to work. I’m not sure if this is supported, but figured I’d try.

I’ve set up a Security Schema for the cookie and added it as a global configuration

image.png808×224 13.5 KB

When I get the browser to make the test request however, no cookie is being sent (checked via the Chrome Network Inspector). I can confirm just visiting the api in the browser correctly sends the cookie and gets a response.

Is this actually supported, or am I expecting too much?

Hey Mal,

You’re right, our API Key support only covers header and query in Studio/Platform, as they are the most commonly used types. When I read this post I had to go and have a quick check of the spec to see if cookies were supported for API keys!

Thanks for getting this on my radar. I’ve got the team to look into this for the new elements OSS release, coming to an inbox near you soon: https://stoplight.io/open-source/elements/

Sweet, thanks Phil - I signed up for notifications on Elements the other day! Looking forward to its release.

After talking about it, it’s not coming in v7.0 but might be possible in the future when we bring back the CORS proxy. Browser based JS code isn’t able to set cookies like this, so we’ll need the CORS proxy.

Please you vote for this feature and you’ll get updates when it happens.

I’m more interested in it ensuring that the existing browser cookie is passed in the credentials rather than allowing arbitrary cookie setting.

i.e. if the browser already has a cookie xyz and the API specifies that cookie authentication is used, then the fetch request (I’m assuming it’s using fetch) should be allowed to “include credentials” and pass along the existing browser cookie.