I’d like to request support for credentials: 'include' in Plasmic’s REST and GraphQL API integrations. Adding this option would enable the following critical use cases:
** Supabase Integration with Secure Cookies **:
Plasmic’s API interactions currently rely on local storage or headers for token management. For secure integrations with Supabase, cookies (HttpOnly, Secure) are preferred, as they eliminate exposure of sensitive tokens in the browser. With credentials: 'include', developers can directly integrate Supabase authentication without needing custom backend components.
** Avoiding Reinventing the Wheel **:
While Plasmic’s “Run Code” interaction is a powerful feature, relying on it forces developers to recreate API functionality (e.g., error handling, token management, response parsing) that Plasmic already excels at through its REST and GraphQL APIs. Supporting credentials: 'include' would allow developers to leverage these capabilities while maintaining secure authentication flows.
** Streamlined Integration with Existing Tools **:
Many modern platforms (e.g., Supabase, Firebase) support secure cookie-based authentication natively. Without credentials: 'include', developers face the burden of hosting custom components and entirely bypassing Plasmic’s API integrations, diminishing the value of these features.
I believe this enhancement aligns with Plasmic’s goals of being an accessible and extensible platform. It would reduce friction for developers and further Plasmic’s reputation as a powerful tool for integrating with modern backend ecosystems.
Thanks for considering this request! I’m happy to provide more context if needed.
Context:
I have a dual-platform Hono backend designed for Cloudflare and Deno. I’m using it as an edge-first runtime backend to proxy all Supabase calls, including authentication and database interactions. Since this is a backend, I’m not using the Supabase SDK to avoid unnecessary bloat. Instead, I’m making all Supabase calls using native HTTP.
I’ve successfully set cookies on both host.plasmic.dev and my production URL, with all CORS configurations correctly in place. Everything works well for setting cookies from the backend. However, I’m now unable to use one of my favorite features in Plasmic: the Data API integration for both REST and GraphQL.
This is because Plasmic’s components don’t support credentials: "include", which is required for cross-origin requests with SameSite=None. As a result, I have to write custom code in the “Run code” interaction, losing the ease and convenience of Plasmic’s built-in REST and GraphQL components.
Conclusion:
Anyone setting cookies from a backend with SameSite=None will be unable to use Plasmic’s REST and GraphQL data integration features and settings.
Hope the above helped to elaborate my use case. If any more details is required, please don’t hesitate to ask.
P.S. I’ve become so accustomed to using Plasmic’s REST and GraphQL data integration that it feels incredibly strange to have to give it up and rewrite all my integrations in the “Run code” interaction because I want to use cookies. It’s truly one of the best data integration components I’ve ever used.
You have 2 domains, say app.example.com and api.example.com. Your API writes cookies for the top-level domain (i.e. “example.com”). Now you want app.example.com to pass the example.com cookies to api.example.com. By default, the cookies are omitted since it’s considered cross-origin, so you want credentials: "include" to be included in the fetch request. Do I have this right?
Also, are you using the built-in API code components or the backend data integrations (e.g. data queries in the right panel)?
