Embedded app with Cookie header doesn't propagate cookies to Authenticated API

I work on a Product A with its own authentication method. I’m exploring Appsmith using the self-hosted deployment method.
Product A is responsible to manage Appsmith users, i.e. create an Appsmith user per Product A.
Inside Product A, I display an iframe with an embedded Appsmith app. Before pulling the Appsmith app document, Product A makes sure the iframe has a valid Appsmith SESSION (if not, the user is automatically logged in using the Appsmith API behind the scenes). At this point, the iframe has both sessions (Product A and Appsmith).

Now, the Appsmith app has an Authenticated API datasource and Queries/JS configured to reach Product A’s API.

I confirmed A’s API is being reached from the embedded app and public endpoints are returning the response correctly.

However, the private endpoints (behind A’s authentication) return 401 because A’s Session is not present in the Cookie header. Using the browsers dev tools, I can confirm that the iframe is sending A’s Session in the Cookie header (to Appsmith’s API: /api/v1/actions/execute ) but that Cookie header is not reaching A’s API at all.

My assumption is that Appsmith’s backend is not capable of passing certain HTTP Header from the apps request onto the target/API request.

So, the question is: How can the embedded Appsmith app perform requests to an Authenticated API when rely on my own authentication method? The data pulled by and displayed in the embedded app must depend on the parent A user.

Hey!

Could you provide some more clarity to the flow of information here? If I understand right, the gist is that you’d like the cookie headers you send to appsmith to be forwarded to your API. Is this correct?

you’d like the cookie headers you send to appsmith to be forwarded to your API. Is this correct?

Exactly. The Cookie header has both sessions: Appsmith’s and Product A’s. I think it’s not being forwarded to prevent exposing Appsmith’s?