Dropbox and Box thumbnails returning 401 Unauthorized

We’ve been using Uppy for a while but we hadn’t updated it since almost half a year ago. We use companion and integration with Dropbox was working fine.

However, after updating to the latest version of both client and companion server (we use standalone), the thumbnails after adding an image are failing. It happens with both Dropbox and Box and only when using Chrome. When they try to request the thumbnail from the companion URL as https://companion-url/thumbnail/827563117593 they return a 401 Unauthorized.

Our companion-url‘s domain differs from our clients’ domains but it was working with no issues before. I’m convinced is CORS related but I haven’t found the proper config to sort this out yet.

Any idea of what could we missing?

Edit: I’ve found this post mentioning the same issue. Anyone has sorted this out?


Seems like SameSite wasn’t added to the cookies so adding it along with security: true made the trick.

const addToCookies = (res, token, companionOptions, authProvider, prefix) => {
    const cookieOptions = {
        maxAge: 1000 * EXPIRY,
        httpOnly: true,
        sameSite: 'none', // fix to show thumbnails on Chrome
        security: true, // fix to show thumbnails on Chrome
    if (companionOptions.cookieDomain) {
        cookieOptions.domain = companionOptions.cookieDomain;
    // send signed token to client.
    res.cookie(`${prefix}--${authProvider}`, token, cookieOptions);

In our case, given that Companion’s domain is different from our clients’ we need to set sameSite to none.

There’s actually a typo and it’s secure: true instead of security: true.