From d278ab045839fb8410abf375da4171f5a9fcb48e Mon Sep 17 00:00:00 2001
From: M1 <m1-pro@M1s-MacBook-Pro.local>
Date: Wed, 18 Mar 2026 09:44:50 +0400
Subject: [PATCH] fix: use credentials:include for cross-origin API requests

---
 apps/web/src/dashboard/app.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/web/src/dashboard/app.js b/apps/web/src/dashboard/app.js
index 672f5bc..79c21e7 100644
--- a/apps/web/src/dashboard/app.js
+++ b/apps/web/src/dashboard/app.js
@@ -13,7 +13,7 @@ function requireAuth() { return true; }
 async function api(path, opts = {}) {
   const res = await fetch(`${API_BASE}${path}`, {
     ...opts,
-    credentials: 'same-origin', // send cookie automatically
+    credentials: 'include', // send cookie cross-origin to api.pingql.com
     headers: {
       'Content-Type': 'application/json',
       ...opts.headers,
@@ -67,7 +67,7 @@ function watchAccount(onPing) {
   async function connect() {
     try {
       const res = await fetch(`${API_BASE}/account/stream`, {
-        credentials: 'same-origin',
+        credentials: 'include',
         signal: ac.signal,
       });
       if (!res.ok || !res.body) return;