Having just launched a vanilla build of purify, I instantly see a console warning as soon as I launch the app:

Failed to load resource: the server responded with a status of 401 ()- /api/auth/refresh_token:1

The associated refresh_token cookie is not written either.

Exploring this some more via curl, I cannot execute a command against the api which provides a valid response.

Executing:

curl https://<my_fqdn>/api/auth/token -d username="username" -d password="password" -H "Content-Type: text/plain"

Returns:

{"statusCode":401,"message":"Unauthorized"}

I tested this with your deployed heroku instance and find the same:

curl https://purify-demo.herokuapp.com/api/auth/token -d username="username" -d password="password" -H "Content-Type: text/plain"

Response:

{"statusCode":401,"message":"Unauthorized"}

The only difference between your heroku instance and mine is that the refresh_token cookie is written and the endpoint does return a 200 on your heroku instance.

Note that in both, username and password are set to the values that do work via the UI so it is not a credential issue.

Send it as JSON:

curl --header "Content-Type: application/json" \
  --request POST \
  --data '{"username":"xyz","password":"xyz"}' \
  https://purify-demo.herokuapp.com/api/auth/token

And you will get the following response:
{"statusCode":401,"message":"Invalid username/password","error":"Unauthorized"}

Regarding refresh_token cookie, did you set DOMAIN variable within .env file as described here?

Ahhhh you were right, I had modded .env.custom but was still calling the default .env.example from docker-compose.yml. My bad, it now works, thanks for the help.