public SecurityFilterChain filterChain(HttpSecurity http, JwtAuthenticationFilter jwtFilter) throws Exception {
        http
            .cors().configurationSource(request -> {
                var cors = new org.springframework.web.cors.CorsConfiguration();
                for (String origin : allowedOrigins) cors.addAllowedOrigin(origin);
                cors.addAllowedMethod("*"); // Allow all HTTP methods including OPTIONS
                cors.addAllowedHeader("*");
                cors.setAllowCredentials(true);
                return cors;
            })
            .and()
            .csrf().disable() // Disable CSRF for REST API
            .headers(headers -> headers
                .addHeaderWriter(new StaticHeadersWriter("X-Content-Type-Options", "nosniff"))
            )
            .sessionManagement().sessionCreationPolicy(SessionCreationPolicy.STATELESS)
            .and()
            .authorizeHttpRequests(auth -> auth
                // Allow OPTIONS requests for CORS preflight - MUST be first
                .requestMatchers(HttpMethod.OPTIONS).permitAll()
                // Allow public endpoints
                .requestMatchers("/", "/users/register/", "/users/login/").permitAll()
                // Require authentication for protected endpoints
                .requestMatchers(HttpMethod.POST, "/fetchKeys/").authenticated()
                // Deny everything else
                .anyRequest().denyAll()
            )

Are you trying to permit all requests to the registration page?