Hi Colin, Yes, we have a Grails 6 app using Spring Security with our Angular app using cookies at /app/ws and REST at /app/api. We struggled for a while getting the /app/api mapping to stop issuing cookies but finally figured out that it was a configuration issue in our Spring Auth Filters. The config is:

plugin:
    springsecurity: # Spring Security Plugin Configuration
      rest:
        token:
          storage:
            jwt:
              secret: "Some secret key to dev, hope this is long enough."
              expiration: 14400 # default expiration to 4 hours
          validation:
            enableAnonymousAccess: true
      filterChain:
        chainMap:
          - pattern: '/api/appVersion'
            filters: 'anonymousAuthenticationFilter,restTokenValidationFilter,restExceptionTranslationFilter,filterInvocationInterceptor'
          - pattern: '/api/**'
            filters: 'JOINED_FILTERS,-anonymousAuthenticationFilter,-exceptionTranslationFilter,-authenticationProcessingFilter,-securityContextPersistenceFilter,-rememberMeAuthenticationFilter' # Stateless chain
          - pattern: '/**'
            filters: 'JOINED_FILTERS,-restTokenValidationFilter,-restExceptionTranslationFilter' # Traditional chain