In addition to what Jack posted there are several other things to keep in mind.
If the cookie already exists in the browser, even if it is HTTPOnly it is still sent on requests within the same cookie domain. So while you may not be able to specifically access it, your API request will contain the cookie if it was already in the browser.
Enhanced settings around dealing with web clients have been introduced that give you a range of options in dealing with those API calls and can be found here.
There is also an excellent blog here that discusses some of the strategies we are using for customers with SPAs. You can find it here.