How to configure CORS for a JWT-protected API in ASP.NET Core 11
A complete guide to CORS for a bearer-token API in ASP.NET Core 11: the correct UseCors ordering relative to authentication, why a bearer token in the Authorization header is not a CORS credential, why AllowAnyHeader works but a manual wildcard does not cover Authorization, and how to keep preflight from failing.