Blog
Mobile deep links and universal links: keep API CORS separate from app URL schemes
iOS/Android app links open native code; your REST API still needs browser CORS for hybrid WebViews and PWAs.
1 min read
mobiledeep-linksapi
WebView nuances
Embedded browsers may send file:// or app-bound origins—tight allowlists prevent accidental exposure.
Capacitor and Cordova often proxy to localhost; mirror those origins in staging tests.
OAuth redirects
Register redirect URIs per platform; do not reuse web SPA redirect URIs for native without PKCE and state.
Keep CORS on token endpoints consistent with your web clients even when native uses custom URL handlers.