What is the default value of the mode option?

For a fetch() call you make from your own script, mode defaults to cors. That means cross-origin responses are only readable if the server sends the right CORS headers. Other values are same-origin, no-cors, and navigate.

When should I set credentials to include?

Set credentials: 'include' when you need cookies, TLS client certs, or HTTP authentication sent on a cross-origin request. The default is same-origin, which only sends credentials to the same origin. include also requires the server to send Access-Control-Allow-Credentials.

What does cache: 'no-store' do versus 'no-cache'?

no-store bypasses the HTTP cache entirely: nothing is read from it and nothing is written to it. no-cache still uses the cache but always revalidates with the server first, so a 304 can return the cached copy. They are easy to confuse but behave very differently.

How do I cancel a fetch request?

Create an AbortController, pass its .signal as the signal option, and call controller.abort() to cancel. The fetch promise then rejects with an AbortError. The same signal can cancel several fetches at once.

What is the keepalive option for?

keepalive: true lets a request outlive the page that started it, which is useful for sending analytics or logs from a pagehide or unload handler. Bodies are size-limited (around 64KB total across in-flight keepalive requests) and it cannot be combined with a streaming body.

fetch() Options Reference

Email me this result

Get this tool's output sent to your inbox, plus one useful tool a week. No spam, unsubscribe any time.

What RequestInit is

The second argument to fetch(input, init) is a RequestInit dictionary. Every field is optional, and the defaults are tuned for the common case of a simple same-page GET. Knowing the defaults matters: many subtle bugs — a cookie that never sends, a cross-origin response you cannot read, a stale cached body — come down to an option left at its default when you needed to override it.

How it works

When you call fetch, the browser merges your init object with the defaults to build a Request. The fields fall into a few groups: request line (method, body), headers (headers), security and network policy (mode, credentials, referrerPolicy, redirect), caching (cache), lifecycle (signal, keepalive, priority), and integrity (integrity). The reference below lists each field with its type, default, and the gotcha most likely to bite you, plus a builder that assembles a real init object from your selections.

Tips and notes

Three defaults trip people up most often: mode is cors so cross-origin reads need server CORS headers; credentials is same-origin so cookies do not ride along cross-origin unless you set include; and redirect is follow so a 30x is transparently chased. Use cache: 'no-store' to truly bypass the HTTP cache, an AbortController signal to cancel, and keepalive for beacons sent during page unload.