This might help

1. Make sure your frontend requests include credentials: 'include' eg

   fetch('your refresh token endpoint', { method: 'GET', credentials: 'include' })

2. Make sure you have CORS parameter set in your settings.py

   CORS_ALLOW_CREDENTIALS = True
   CORS_ALLOWED_ORIGINS = [

   #Add any url u use for your frontend code ] CSRF_COOKIE_HTTPONLY = True CSRF_COOKIE_SECURE = False # make this to True in when u are on prod CSRF_COOKIE_SAMESITE = 'Lax' SESSION_COOKIE_SAMESITE = 'Lax'

3.make sure the frontend contains the CSRF token in the headers if you have any tho.

Also remember if refresh_token cookie is set to httponly=True, Javascript can't read it which is normal. But the browser will send it automatically with requests.

so, Make sure you're calling the refresh endpoint from the browser, not Postman (Postman won’t send cookies) and Use secure=True only if you're on HTTPS; otherwise, it might not work in local.