Access-Control-Allow-Credentials failure when trying to fetch the token

I’m building a small app with auth0 as a trial experience. Everything worked out pretty well when I developed locally, but now I deployed it to the web and got unexpected issues.

The error happens when I access /oauth/token:

Access to fetch at '' from origin 'https://MYDOMAIN.COM' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

Here’s how the request looks (converted to curl):

curl '' -H 'Referer: MYDOMAIN.COM/?code=CODE&state=STATE%3D%3D' -H 'Sec-Fetch-Dest: empty' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.106 Safari/537.36' -H 'Content-type: application/json' --data-binary '{"grant_type":"authorization_code","redirect_uri":"MYDOMAIN.COM","audience":"AUD","client_id":"CID","code_verifier":"WHATEVER","code":"WHATEVER"}' --compressed

Sent via curl it returns me a valid cookie, sent via the browser it results in the aforementioned error. Given it’s a POST request that sets a cookie and reading through MDN, it looks to me that the Auth0 SDK (I’m using is supposed to send the request with XMLHttpRequest.withCredentials, but more importantly, the server must reply with a Access-Control-Allow-Credentials header (which it doesn’t, based on curl).

Any ideas?

Apparently it was flutter all along.

The release build includes a service worker which has a handler like this:

self.addEventListener('fetch', function (event) {
      .then(function (response) {
        if (response) {
          return response;
        return fetch(event.request, {
          credentials: 'include'

As you can see, it forcefully injects credentials: 'include' into all the requests, thus making auth0 requests fail because they lack the Access-Control-Allow-Credentials.