REST APIs use authorization to ensure that a client has secure access only to the resources permitted by their roles. If you are building or integrating with a 3rd party API, you can choose between Basic Auth, Bearer Tokens, and OAuth2.0.

Auth details can be added to a header, body, or as parameters to a request. However, if you enter your auth details in the Authorization Tab, Hoppscotch will automatically modify the relevant parts of the request based on your chosen Auth type. Storing Auth Credentials or Bearer Tokens as environment variables, lets you re-use these more safely and efficiently.


Inherit the authorization settings from the parent collection.

Basic Auth

If the API supports basic Auth, you will have to add a verified username and password to your request. In the authorization tab, select basic auth and add your credentials.

Bearer Tokens

Bearer tokens allow for request authentication using an access key, such as an opaque string or JWT. In the Authorization Tab, select Basic Auth and add your token, or for added security store it in a variable and reference it by name.

Hoppscotch will append the API key value to the text ‘Bearer’ and add it to the request authorization header.

Bearer <Your API key>

OAuth 2.0

In this Authorization Model, you first retrieve an access token for the API and then use that token to authenticate future requests.


  1. In the ”Authorization Tab” for a request, select OAuth 2.0 from the Authorization Type drop-down.
  2. Select the Grant Type from Authorization Code (with or without PKCE), Client Credentials, Password Credentials, and Implicit.
  3. Fill out the fields in the section below and click on ”Generate Token” to generate a new access token.
  4. You can save the token to be re-used later.

Grant types

When using OAuth 2.0 authorization with Hoppscotch, you can utilize the following grant types:

1. Authorization Code

The Authorization Code grant type mandates user authentication with the provider, leading to the issuance of an authorization code back to the client application. This code is then extracted and swapped with the provider for an access token, which is later used to authenticate subsequent requests.

To use the Authorization Code grant type, specify a Callback URL for your client application, along with other pertinent details such as Auth URL, Access Token URL, Client ID, and Client Secret provided by the API service.

Using PKCE

Opting for OAuth 2.0 with PKCE (Proof Key for Code Exchange), you gain the option to enhance security. Upon selecting PKCE, You can choose between SHA-256 or Plain algorithms.

2. Client Credentials

The client credentials grant type is commonly employed for accessing data tied to the client application. Provide the Access Token URL of the provider along with the Client ID and Client Secret for your registered application.

3. Password Credentials

The OAuth 2.0 Password grant type sends the username and password directly from the client, which is not advised when handling third-party data.

To utilize the password grant type, input your API provider’s Access Token URL, along with the Username and Password. Occasionally, you may also be required to supply a client ID and secret.

4. Implicit

The Implicit grant type furnishes the client with an access token directly, eliminating the additional authentication code step and is less secure.

For utilizing the implicit grant type in your requests via Hoppscotch, provide a Callback URL registered with the API provider, the provider’s Auth URL, and a Client ID for the registered application.