Fetch API credentials Option: How omit, same-origin, and include Work
The Fetch API's credentials option controls whether authentication data — including cookies, HTTP credentials, and TLS certificates — is sent with HTTP requests. The omit mode never sends credentials, while same-origin, the default, sends them only when the request targets the same domain. The include mode allows eligible cookies to be considered for cross-origin requests, though cookie attributes like SameSite and Domain still determine whether they are actually sent. When using include for cross-origin requests, the server must respond with Access-Control-Allow-Credentials: true and a specific origin in Access-Control-Allow-Origin, or JavaScript will be blocked from reading the response. Understanding these three modes is critical for correctly handling authentication, sessions, and CORS in web applications.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in