This feature is well established and works across many devices and browser versions. It’s been available across browsers since March 2017.
Note: This feature is available in Web Workers.
The credentials read-only property of the Request interface reflects the value given to the Request() constructor in the credentials option. It determines whether or not the browser sends credentials with the request, as well as whether any Set-Cookie response headers are respected.
Credentials are cookies, TLS client certificates, or authentication headers containing a username and password.
See Including credentials for more details.
A string with one of the following values:
omitNever send credentials in the request or include credentials in the response.
same-originOnly send and include credentials for same-origin requests. This is the default.
includeAlways include credentials, even for cross-origin requests.
In the following snippet, we create a new request using the Request() constructor (for an image file in the same directory as the script), then save the request credentials in a variable:
const request = new Request("flowers.jpg");
const credentials = request.credentials; // returns "same-origin" by default
| Specification |
|---|
| Fetch> # ref-for-dom-request-credentials②> |
| Desktop | Mobile | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Chrome | Edge | Firefox | Opera | Safari | Chrome Android | Firefox for Android | Opera Android | Safari on IOS | Samsung Internet | WebView Android | WebView on iOS | |
credentials |
40 | 14 | 39 | 27 | 10.1 | 40 | 39 | 27 | 10.3 | 4.0 | 40 | 10.3 |
default_same-origin |
72 | 18 | 61 | 55 | 12.1 | 72 | 61 | No | 12.2 | 11.0 | 72 | 12.2 |
© 2005–2025 MDN contributors.
Licensed under the Creative Commons Attribution-ShareAlike License v2.5 or later.
https://developer.mozilla.org/en-US/docs/Web/API/Request/credentials