Access-Control-Allow-Credentials is an HTTP header that, when set to true, allows browsers to send identifiable information (such as cookies, authorization headers, and TLS client certificates) with requests.

By default, browsers omit credentials in cross-origin requests to improve security, meaning that applications send anonymous requests to different origins to limit access to resources that require authentication. If Access-Control-Allow-Credentials is set to true, then identifiable information is sent alongside the cross-origin requests.

We recommend that you do not set Access-Control-Allow-Origin to * when setting Access-Control-Allow-Credentials to true because this gives all origins access to your identifiable information. For more control on who has access to your credentials, we recommend using an explicit list of allowed origins.

One use case for setting Access-Control-Allow-Credentials to true is when a website uses third-party services that need user authentication.