What does credentials: 'include' do in fetch?
It tells the browser to send cookies and authorization headers with the cross-origin request. Without it, no credentials are sent. The server must also set Access-Control-Allow-Credentials: true.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS with Credentials and Cookies
On the client: fetch(url, { credentials: 'include' }). On the server: Access-Control-Allow-Credentials: true and Access-Control-Allow-Origin must be the specific origin (not *).
No. When credentials are involved, the server must specify the exact origin (https://myapp.com). The wildcard * is not allowed with credentials for security reasons.
SameSite=None and Secure. SameSite=None allows the cookie to be sent cross-site. Secure requires HTTPS. Without these, the browser does not send the cookie cross-origin.
Still have questions?
Browse all our FAQs or reach out to our support team
