Authorization is the process of verifying that a client has permission to access a resource.
Auth
type. Storing Auth Credentials or Bearer Tokens as environment variables, lets you re-use these more safely and efficiently.
Basic Auth
as your authentication type. You’ll then input your verified username and password. When you send the request, Hoppscotch will automatically encode your credentials in the format:
Bearer
from the Authorization tab and enter your access token. Hoppscotch will include the token in the request header as:
API Key
authentication by selecting it from the Authorization tab. Here, you’ll need to fill in two fields: the Key, which is the name the API expects (like api_key
or Authorization
), and the Value, which is your actual API Key. You can also choose whether to pass this API Key as a Header or as a Query Parameter.
OAuth 2.0
from the Authorization Type drop-down.Authorization Code
grant type, ensure the Callback URL is correctly configured (either https://hoppscotch.io/oauth
for Hoppscotch Cloud or <your-domain>/oauth
for self-hosted editions). Next, provide the Authorization Endpoint and Access Token Endpoint from the API provider, along with the Client ID (and the Client Secret if you choose to use it). You can also specify the desired permissions in the Scope field and pass the token as a Header or as a Query Parameter. Once you’ve filled in these fields, click Generate Token to get your access token.
Using PKCE
Opting for OAuth 2.0 with PKCE (Proof Key for Code Exchange), you gain the option to enhance security. Upon selecting PKCE, you can choose between SHA-256 or Plain algorithms.
Client Credentials
grant type, input the Authorization Endpoint from the API provider, and fill in your Client ID. Including a Client Secret is optional.
Client Authentication
field to suit your security requirements.Password
credentials grant type in Hoppscotch, provide your API provider’s Authorization Endpoint, along with the Username and Password. Occasionally, you may also be required to supply a Client ID and Secret.
Implicit
grant type in Hoppscotch, make sure the Callback URL is set as required (either https://hoppscotch.io/oauth
or <your-domain>/oauth
). You will need to further provide the Authorization Endpoint and Client ID to generate the token.
https://hoppscotch.io/oauth
while for self-hosted editions of Hoppscotch, the callback URL should be set to <your-domain>/oauth
. You must configure this URL as a valid redirect URI in your OAuth provider’s settings. This is important because Hoppscotch handles all OAuth requests on the client side. When your OAuth provider redirects you to this URL, we process the response to obtain the token or authorization code. Any mismatch between the registered callback URL and what Hoppscotch uses will result in errors like INVALID_REDIRECT_URI
during the authorization process.
401 Unauthorized
status and a WWW-Authenticate
header. This header contains essential information, including a unique challenge that you will use to generate a valid response.
To configure Digest Auth in Hoppscotch, start by entering your Username and Password. For added security, you can also provide optional parameters like Realm and Nonce from the WWW-Authenticate
header. Choose the appropriate Algorithm for hashing and define the Quality of Protection (QoP) to further secure your requests. You can also specify parameters such as Nonce Count, Client Nonce, and Opaque to further bolster the authentication process.
AWS Signature
in Hoppscotch, enter your AWS Access Key and Secret Key to sign your requests. For advanced configuration, you can also provide details like the AWS Region where your service is hosted (like us-east-1), the Service Name of the specific AWS service you’re accessing (such as s3 or dynamodb), and a Service Token if you’re using temporary security credentials.
JWT
from the Authorization tab.
You can then enter your JWT Token directly, or if you have a JWT secret, you can use it to generate the token. This token will be included in the request header as:
inherit
.