I would be interested to know the real answer to the possible existence of this http-only cookie authentication ? Does dgraph graphQL api allows cookie-based authentication ?
Forcing authorization via headers forces us to manipulate jwt in the frontend browser, exposing our apps to token exfiltrations as no one can secure secret data in a browser.