cors_forbidden (403)
The browser Origin isn't in the game's allowed_origins. The classic 'works locally, 403s once deployed' trap.
Add your deployed origin to allowed_origins (dashboard → CORS, or triggair_set_allowed_origins). An empty allowlist is open to any origin.