SvelteKit + @supabase/ssr - Missing Set-Cookie Headers on Successful Login
Problem:
I'm using SvelteKit (Svelte 4) with @supabase/ssr for authentication. My client-side supabase.auth.signInWithPassword call succeeds (returns 200 OK from /auth/v1/token with user/session data in the JSON response), but the Response Headers are missing the Set-Cookie headers for the sb-* tokens.
This prevents the browser from storing session cookies, causing subsequent server-side requests (handled by hooks.server.ts using createServerClient) to fail authentication checks (event.locals.getSession() returns no session).
Troubleshooting Done:
Verified PUBLIC_SUPABASE_URL/ANON_KEY and VITEPUBLIC... env vars are correct and match dashboard.
Confirmed Supabase Auth Settings: "Enable Session Management" appears implicitly ON (no master toggle found), Redirect URLs include https://localhost:5173/**.
Using standard @supabase/ssr pattern in hooks.server.ts.
Upgraded project to Pro Plan - issue persists.
Client-side fetch calls include credentials: 'include'.
Question:
Why would the Supabase Auth endpoint not send back Set-Cookie headers on a successful login, despite returning session data in the response body? Is there a configuration I might be missing?
I'm using https and have CORS setup as well. not sure if there are other relevant settings?
Any insights would be greatly appreciated! This has been driving me crazy.
I'm using SvelteKit (Svelte 4) with @supabase/ssr for authentication. My client-side supabase.auth.signInWithPassword call succeeds (returns 200 OK from /auth/v1/token with user/session data in the JSON response), but the Response Headers are missing the Set-Cookie headers for the sb-* tokens.
This prevents the browser from storing session cookies, causing subsequent server-side requests (handled by hooks.server.ts using createServerClient) to fail authentication checks (event.locals.getSession() returns no session).
Troubleshooting Done:
Verified PUBLIC_SUPABASE_URL/ANON_KEY and VITEPUBLIC... env vars are correct and match dashboard.
Confirmed Supabase Auth Settings: "Enable Session Management" appears implicitly ON (no master toggle found), Redirect URLs include https://localhost:5173/**.
Using standard @supabase/ssr pattern in hooks.server.ts.
Upgraded project to Pro Plan - issue persists.
Client-side fetch calls include credentials: 'include'.
Question:
Why would the Supabase Auth endpoint not send back Set-Cookie headers on a successful login, despite returning session data in the response body? Is there a configuration I might be missing?
I'm using https and have CORS setup as well. not sure if there are other relevant settings?
Any insights would be greatly appreciated! This has been driving me crazy.
