diff --git a/api/server/auth/auth.go b/api/server/auth/auth.go
index 84a36607..c57c7b50 100644
--- a/api/server/auth/auth.go
+++ b/api/server/auth/auth.go
@@ -5,7 +5,6 @@ import (
 	"strings"
 
 	"github.com/micro/go-micro/v2/auth"
-	"github.com/micro/go-micro/v2/metadata"
 )
 
 // CombinedAuthHandler wraps a server and authenticates requests
@@ -42,15 +41,16 @@ func (h authHandler) ServeHTTP(w http.ResponseWriter, req *http.Request) {
 	}
 
 	var token string
-	if header, ok := metadata.Get(req.Context(), "Authorization"); ok {
+	if header := req.Header.Get("Authorization"); len(header) > 0 {
 		// Extract the auth token from the request
 		if strings.HasPrefix(header, BearerScheme) {
 			token = header[len(BearerScheme):]
 		}
 	} else {
 		// Get the token out the cookies if not provided in headers
-		if c, err := req.Cookie(auth.CookieName); err != nil && c != nil {
-			token = c.Value
+		if c, err := req.Cookie("micro-token"); err == nil && c != nil {
+			token = strings.TrimPrefix(c.Value, auth.CookieName+"=")
+			req.Header.Set("Authorization", BearerScheme+token)
 		}
 	}
 
diff --git a/api/server/cors/cors.go b/api/server/cors/cors.go
index 090d6632..6c030e0c 100644
--- a/api/server/cors/cors.go
+++ b/api/server/cors/cors.go
@@ -38,6 +38,7 @@ func SetHeaders(w http.ResponseWriter, r *http.Request) {
 		set(w, "Access-Control-Allow-Origin", "*")
 	}
 
+	set(w, "Access-Control-Allow-Credentials", "true")
 	set(w, "Access-Control-Allow-Methods", "POST, PATCH, GET, OPTIONS, PUT, DELETE")
 	set(w, "Access-Control-Allow-Headers", "Accept, Content-Type, Content-Length, Accept-Encoding, X-CSRF-Token, Authorization")
 }
diff --git a/client/grpc/grpc.go b/client/grpc/grpc.go
index e1043afe..c0900655 100644
--- a/client/grpc/grpc.go
+++ b/client/grpc/grpc.go
@@ -123,7 +123,7 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R
 	if md, ok := metadata.FromContext(ctx); ok {
 		header = make(map[string]string, len(md))
 		for k, v := range md {
-			header[k] = v
+			header[strings.ToLower(k)] = v
 		}
 	} else {
 		header = make(map[string]string)
@@ -133,9 +133,12 @@ func (g *grpcClient) call(ctx context.Context, node *registry.Node, req client.R
 	header["timeout"] = fmt.Sprintf("%d", opts.RequestTimeout)
 	// set the content type for the request
 	header["x-content-type"] = req.ContentType()
+
 	// set the authorization token if one is saved locally
-	if token, err := config.Get("token"); err == nil && len(token) > 0 {
-		header["authorization"] = BearerScheme + token
+	if len(header["authorization"]) == 0 {
+		if token, err := config.Get("token"); err == nil && len(token) > 0 {
+			header["authorization"] = BearerScheme + token
+		}
 	}
 
 	md := gmetadata.New(header)