CORS

Configure trusted origins for cross-origin requests.

auth = await nexfetch_auth(
    secret="...",
    trusted_origins=[
        "http://localhost:3000",
        "https://myapp.com",
    ],
)

Behavior

• OPTIONS preflight requests return Access-Control-Allow-* headers
• Untrusted origins receive an empty Access-Control-Allow-Origin header
• Empty trusted_origins allows all origins (default — change for production)