CORS on Sessions & Healthcheck even with v7 upgrade

Feature(s) impacted

Being a new developer on the team, I am attempting to have the Development environment work on my machine so I can make modification and then push to Production. But I get CORS errors.

Observed behavior

I am unable to make the Development environment work. I can’t get past the “Unlock your data” modal. Entering the password and pressing enter gives me Session & Healthcheck CORS errors:

Expected behavior

Since I followed the instructions to upgrade to v7 (mongoose) I expected the CORS errors to Vanish. But they don’t. Curl requests works thought.

Failure Logs

No error during App start. See image above for cors error.


  • Project name: EyeMeApp

  • Team name: Operations

  • Environment name: Development

  • Agent type & version:

  • Recent changes made on your end if any: I am new to the project and attempting to get the Dev environment to work. I upgraded to v7 as mentionned here: May 2021 - Agent upgrade to latest major version required

Also, I must say that i do not know what AUTH secret I should use. This development environment was not created by me and I do not know where to get this information.


Do you have an error at agent startup? I can see that the frontend is requesting to repeat the password, but this operation is no longer necessary since version 7.

Having the frontend ask you to repeat the password shows that:

  • there is an error when sending the apimap to forest (indicated in the console)
  • or your agent is not running with NODE_ENV=development (if not the case, please specify this value)

Can you copy paste the headers of the OPTIONS request and response? This will help find the origin of the error.

Omg … that was it… I had NODE_ENV=staging
Don’t know why.
But changing it to development solved my problem !!!

Thank you very much Guillaume !!

While this ticket is still open may I as what the AUTH_SECRET is used for and how I may find it for my dev environment ?


The AUTH_SECRET variable is used to sign JWTs. You can set it to any random string.