ltijs: Invalid session cookies on prod environment

Hi, We are not completely sure if this is a ltijs issue, but we tried everything we can and not able to get this working.

Here’s our setup for our prod environment:

// Setup
lti.setup(process.env.LTI_KEY,
  {
    url: 'mongodb+xxxxxxxxx/' + process.env.DB_NAME,
    connection: { user: process.env.DB_USER, pass: process.env.DB_PASS }
  }, {
    staticPath: path.join(__dirname, './public'), // Path to static files
    cookies: {
      secure: true, // Set secure to true if the testing platform is in a different domain and https is being used
      sameSite: '', // Set sameSite to 'None' if the testing platform is in a different domain and https is being used
      domain: '.xyz.com'
    },
    devMode: false // Set DevMode to true if the testing platform is in a different domain and https is not being used
  })

Now, when we do a fetch request for the /info route like this…

const getLTIInfo = async(ltiToken) => {
  const response = await fetch(`https://lti.xyz.com/info?ltik=${ltiToken}`, {
    method: 'GET',
    credentials: "same-origin",
    headers: {
      'Content-Type': 'application/json'
    }
  });
  return response.json();
}

LTIJS is unable to find the session cookies. Any idea on what we are not doing right here? I thought setting the credentials to same-origin should automatically pick up the cookies from the browser from the same origin, but it is not.