The 401 error isn't necessarily from CORS, but rather from your auth endpoint. Either you have to have an unauthenticated endpoint to register, then redirect/respond with the token/auth mechanism of your choice, or you have to have a general client "secret" token that has the permissions necessary that can access the "public" endpoints like register, login, etc.