Auth presets
Basic, Bearer, API key, OAuth2 (auth code with PKCE, client credentials, password), Digest, NTLM, AWS SigV4, vault, inherit. {{env}} substitution in every OAuth field.
Auth applies per-request or via collection / folder inheritance.
Presets
| Preset | Notes |
|---|---|
| None | No auth header sent |
| Basic | username + password |
| Bearer | static token |
| API key | header or query, configurable name |
| OAuth2 | authorization code (with PKCE), client credentials, password grant — token caching included |
| Digest | RFC 2617 |
| NTLM | Windows-style NTLMv2 |
| AWS SigV4 | service + region + credentials |
| Vault | resolves a vault credential ID at request time |
| Inherit | use the parent collection or folder’s auth |
OAuth2 details
The OAuth2 preset supports three grants:
- Authorization code with PKCE — opens a browser to the authorize URL, captures the code, exchanges for a token. PKCE (S256 verifier) is mandatory for public clients.
- Client credentials — server-to-server, no user interaction.
- Password grant — username + password against the token endpoint (deprecated by OAuth 2.1 but still supported by many enterprise IdPs).
Negotiated bearer tokens cache in memory for the request batch. Refresh tokens auto-renew before expiry.
{{env}} substitution works in every OAuth string field — token URL, client ID, client secret, scope, redirect URI, audience, custom params. Same Environment-variable syntax as URLs and headers.
Inheritance + override
Set auth on a collection and every request beneath inherits unless it explicitly overrides. Folder-level overrides cascade the same way (folder auth overrides collection, request auth overrides folder).
The request row shows an inherits from