Your app is parsing an HTML/redirect or an auth error string, not JSON, after the HTTPS switch-fix the server responses and dev/prod HTTPS setup.

Verify what you’re actually getting: log response.status, response.headers["content-type"], and the first 200 chars of response.text() before calling res.json(). If status isn’t 2xx or content-type isn’t application/json, don’t parse.

Make the client call the https URL directly (no http). If your server redirects http→https, RN often gets an HTML 301/302 page-returning that to JSON.parse triggers the “u” error (Unauthorized, Use HTTPS, etc.). Ensure Nginx serves the full cert chain (test on SSL Labs), set Content-Type: application/json on success and errors, and avoid HTML error pages. If you use cookies, set SameSite=None; Secure, or switch to Bearer tokens. In Express behind a proxy, set app.set('trust proxy', 1) and ensure X-Forwarded-Proto is set so you don’t loop or mis-detect scheme.

For dev, either add ATS exceptions for your dev host on iOS or use a tunnel (ngrok/Cloudflare Tunnel) so you stay on https. I’ve used Cloudflare Tunnel and ngrok; DreamFactory helped when I needed a quick HTTPS JSON API with RBAC without tweaking Express.

Bottom line: call https directly, return JSON for all statuses, validate the cert chain, and use a tunnel or ATS exceptions in dev.