Yeah, that’s a common issue. In Chrome Incognito, third-party cookies are blocked by default, so even if you’re using App Bridge and session tokens, things can still break if the backend is expecting any kind of cookie.
What usually happens is that the frontend is sending the session token properly, but the backend is still looking for a session cookie or CSRF token. Since those cookies don’t exist in Incognito, the auth fails silently or just doesn't load.
To fix it, the backend should only use the session token from the Authorization: Bearer <token> header and completely avoid relying on req.session or any cookie-based checks.
If you're using Rails or a framework with built-in CSRF protection, that might also cause issues. In that case, you’d want to either skip CSRF checks for routes that use session tokens (like skip_before_action :verify_authenticity_token) or switch to something like protect_from_forgery with: :null_session so it doesn’t rely on cookies.
Once the backend is fully token-based and not expecting cookies, it should work fine in Incognito too.
