diff --git a/packages/core/js-sdk/src/client.ts b/packages/core/js-sdk/src/client.ts
index 025e0b7b0a..14994129a4 100644
--- a/packages/core/js-sdk/src/client.ts
+++ b/packages/core/js-sdk/src/client.ts
@@ -58,17 +58,20 @@ const normalizeRequest = (
     body = JSON.stringify(body)
   }
 
+  // "credentials" is not supported in some environments (eg. on the backend), and it might throw an exception if the field is set.
   const isFetchCredentialsSupported = "credentials" in Request.prototype
 
+  // Oftentimes the server will be on a different origin, so we want to default to include
+  // Note that the cookie's SameSite attribute takes precedence over this setting.
+  const credentials =
+    config.auth?.type === "session"
+      ? config.auth?.fetchCredentials || "include"
+      : "omit"
+
   return {
     ...init,
     headers,
-    // TODO: Setting this to "include" poses some security risks, as it will send cookies to any domain. We should consider making this configurable.
-    credentials: isFetchCredentialsSupported
-      ? config.auth?.type === "session"
-        ? "include"
-        : "omit"
-      : undefined,
+    credentials: isFetchCredentialsSupported ? credentials : undefined,
     ...(body ? { body: body as RequestInit["body"] } : {}),
   } as RequestInit
 }
@@ -231,7 +234,9 @@ export class Client {
       let normalizedInput: RequestInfo | URL = input
       if (input instanceof URL || typeof input === "string") {
         const baseUrl = new URL(this.config.baseUrl)
-        const fullPath = `${baseUrl.pathname.replace(/\/$/, '')}/${input.toString().replace(/^\//, '')}`
+        const fullPath = `${baseUrl.pathname.replace(/\/$/, "")}/${input
+          .toString()
+          .replace(/^\//, "")}`
         normalizedInput = new URL(fullPath, baseUrl.origin)
         if (init?.query) {
           const params = Object.fromEntries(
diff --git a/packages/core/js-sdk/src/types.ts b/packages/core/js-sdk/src/types.ts
index af935549ea..c4b08291f5 100644
--- a/packages/core/js-sdk/src/types.ts
+++ b/packages/core/js-sdk/src/types.ts
@@ -14,6 +14,7 @@ export type Config = {
     type?: "jwt" | "session"
     jwtTokenStorageKey?: string
     jwtTokenStorageMethod?: "local" | "session" | "memory" | "nostore"
+    fetchCredentials?: "include" | "omit" | "same-origin"
   }
   logger?: Logger
   debug?: boolean