The first attempt you made was post request, without having any cookie/auth header. You’ve to be signed in with the user to access resource.
Instead of using javascript to make request from client side, it is recommended to make request from server side (php/python/rails/java/etc). It will avoid CORS and keep credentials safe.
The second method is modern approach by using OAuth 2.0:
read “How to setup OAuth?” and “Using OAuth” from following link.
https://frappe.io/docs/user/en/guides/integration
By using OAuth 2.0. Users can choose to revoke access to the third party app.
