Authentication
Learn how to configure and test API authentication in RESTK — Bearer tokens, API keys, JWT, Basic Auth, OAuth 2.0, OAuth 1.0, Digest, AWS Sig V4, Hawk, and NTLM.
RESTK supports all major API authentication methods out of the box. Configure auth at the request, folder, or collection level, and RESTK automatically injects the correct credentials into every request.
Supported Auth Types
| Auth Type | Use Case | Credential Location |
|---|---|---|
| Bearer Token | Token-based APIs, OAuth 2.0 APIs | Authorization header |
| API Key | Simple key-based APIs | Header or query parameter |
| Basic Auth | Legacy APIs, internal services | Authorization header (Base64) |
| JWT | Custom token signing, service-to-service auth | Authorization header |
| OAuth 2.0 | Authorization Code, Client Credentials, and other OAuth 2.0 grant types | Authorization header |
| OAuth 1.0 | Legacy OAuth-authenticated APIs | Authorization header (signed) |
| Digest | HTTP Digest authentication | Authorization header |
| AWS Signature V4 | AWS APIs (S3, Lambda, API Gateway, etc.) | Authorization header + signed headers |
| Hawk | Hawk HTTP authentication | Authorization header |
| NTLM | Windows/Active Directory integrated APIs | Multi-step challenge-response |
| None | Public APIs, no auth required | N/A |
You can also set auth to Inherit to use the parent folder or collection's auth configuration.
Bearer Token
Bearer token authentication sends a token in the Authorization header with every request.
Setup
Select Auth Type
Open a request, folder, or collection and navigate to the Auth tab. Select Bearer Token from the dropdown.
Enter Token
Paste your token into the Token field. You can also use a variable reference like {{access_token}}.
Send Request
RESTK automatically adds the header Authorization: Bearer <your-token> to every request.
How It Works
When you send the request, RESTK injects the following header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Use Variables for Tokens
Store tokens in environment or collection variables and reference them as {{access_token}}. This makes it easy to switch between environments without editing auth settings.
Dynamic Tokens via Scripts
You can also set bearer tokens programmatically in a pre-script:
// Pre-script: Set token from variable
nova.request.setBearerToken(nova.variable.get("access_token"));
Or extract and store a token from a login response:
// Post-script: Extract token from response
const data = nova.response.json();
if (data && data.access_token) {
nova.variable.set("access_token", data.access_token);
}
API Key
API key authentication sends a key as either a header or a query parameter.
Setup
Select Auth Type
Choose API Key from the auth type dropdown.
Configure Key
Enter the key name, value, and choose where to send it.
Configuration
| Field | Description | Example |
|---|---|---|
| Key Name | The header or parameter name | X-API-Key |
| Key Value | The API key value | sk_live_abc123 |
| Add To | Where to send the key | Header or Query Parameter |
Header example:
X-API-Key: sk_live_abc123
Query parameter example:
https://api.example.com/users?api_key=sk_live_abc123
Variable Support
Use {{api_key}} in the value field to pull from environment or collection variables.
Basic Auth
Basic authentication sends a Base64-encoded username and password in the Authorization header.
Setup
Select Auth Type
Choose Basic Auth from the auth type dropdown.
Enter Credentials
Provide the Username and Password fields.
Send Request
RESTK Base64-encodes the credentials and adds the Authorization header automatically.
How It Works
RESTK constructs the header as follows:
Authorization: Basic base64(username:password)
For example, with username admin and password secret123:
Authorization: Basic YWRtaW46c2VjcmV0MTIz
You can also set Basic auth in a pre-script:
nova.request.setBasicAuth("admin", nova.variable.get("admin_password"));
Security Note
Basic auth transmits credentials in Base64 encoding, which is not encryption. Always use HTTPS when sending Basic auth requests to production APIs.
JWT Generation
RESTK can generate and sign JWT tokens directly, which is useful for testing APIs that require custom JWTs.
Creating a JWT
Select Auth Type
Choose JWT from the auth type dropdown.
Configure Header
Set the algorithm (HS256, HS384, or HS512) and optionally add custom header claims.
Define Payload
Enter the JWT payload as JSON:
{
"sub": "1234567890",
"name": "Jane Doe",
"iat": {{$timestamp}},
"exp": {{$timestamp}} + 3600,
"role": "admin"
}
Provide Signing Key
Enter the secret for the HMAC algorithm.
Generate and Use
RESTK generates the signed JWT and injects it as a Bearer token. The token is regenerated before each request to ensure the timestamps are current.
Supported Algorithms
| Family | Algorithms |
|---|---|
| HMAC | HS256, HS384, HS512 |
Auth Inheritance
Authentication settings cascade from collections to folders to requests, reducing repetitive configuration.
How Inheritance Works
Collection Auth (Bearer Token: {{api_token}})
|
+-- Folder: Users (Inherit from Collection)
| +-- GET /users --> Uses collection's Bearer Token
| +-- POST /users --> Uses collection's Bearer Token
|
+-- Folder: Public (Auth: None)
| +-- GET /health --> No auth sent
| +-- GET /status --> No auth sent
|
+-- Folder: Admin (Auth: Basic Auth)
+-- DELETE /users/:id --> Uses folder's Basic Auth
Inheritance Rules
- Inherit (default): The request uses the auth from its parent folder, or the collection if no folder auth is set
- Override: Set a specific auth type on a folder or request to override the parent
- None: Explicitly set auth to None to send no credentials, even if a parent has auth configured
Auth Override Flag
Folders have an Override parent auth toggle. When enabled, all requests in that folder use the folder's auth instead of inheriting from the collection.
Storing Secrets Securely
RESTK takes a privacy-first approach to credential storage.
Keychain Integration
On macOS, authentication credentials such as passwords, tokens, and client secrets are stored in the system Keychain. This provides OS-level encryption and access control.
Encrypted Variables
For secrets that need to be referenced across requests, use Secret Variables.
Create Secret Variable
In your environment or collection variables, set the variable type to Secret.
Enter Value
The value is masked in the UI and stored encrypted on disk.
Reference in Auth
Use {{my_secret}} in any auth field.
Credentials Stay Local
Auth credentials are stored only on your device using the macOS Keychain. They are never synced to the server. When setting up RESTK on a new device, you need to re-enter credentials.
Best Practices
- Use variables for tokens -- Store tokens in environment variables so you can switch between dev, staging, and production without editing auth settings
- Set auth at the collection level -- Configure auth once on the collection and let requests inherit it
- Use Secret variables -- Mark sensitive values as secrets to mask them in the UI
- Automate token extraction -- Use post-scripts to extract and store tokens from login responses
- Test with different auth -- Override auth on individual requests to test permission boundaries
- Rotate credentials regularly -- Update stored tokens and API keys periodically