In prod, the apps run at the following URL/origin by default:
- iOS:
capacitor://localhost - Android:
http://localhost
So, both of those need to be configured in your backend as allowed origins. You could also use Capacitor’s HTTP plugin to get around CORS all together.