It looks like api.test.mucklet.com is only happy with Origin: https://test.mucklet.com. I can somewhat understand why it’s useful for prod, but can we have some relaxed rules for the test server? Or at least allow in some localhost traffic like Origin: http://localhost:2421?
I’ve been poking the api with flutter and it’s really annoying that I have to build the desktop app every time because flutter-web sends the origin I can’t control.
If I remember it correctly, I cannot set the header to Access-Control-Allow-Origin: * as it will prevent cookies to be properly sent.
But I have just added the following allowed origin to the test realm:
http://localhost:6450
That is the port I use for local client development.
Try it out and see if it works! 
Any way around this auth thing?
{"error":{"code":"auth.unsafeOrigin","message":"Not allow from unsafe origin."},"id":2}.
If that’s not a trivial thing to fix I could set up a https listener.
I did block certain calls from “unsafe origins” (meaning, clients not under direct control of Mucklet (a.k.a. me)) to reduce the risk of anyone stealing other player’s password with a custom client.
That affects calls such as:
Okay. I need to consider how to make it easier for you to use password login when developing custom client code.
But to change this behavior requires a server update rather than just some edited config. So it is nothing I can change right now. Sorry.
Apparently I can just feed cookies into the machine and it will let me in. I’m good for now!
Yes, it does like cookies! 
Was the machine developed by Widget?
Are you implying Widget would trade useful work for cookies?
Given the cookies are basically JWT… are those hash cookies?
Only in some countries and states, since that wouldn’t be okay everywhere. 