Authentication

Most real-world APIs require you to prove who you are before they'll respond. HTTPBot's Auth section lets you pick an authentication type and fill in its details; HTTPBot then adds the right headers, query parameters, or signatures to your request automatically when you tap Send.

You choose the type from the picker at the top of the Auth section. The fields below it change to match the type you pick.

The Auth section with the type picker open, listing the available authentication types.The Auth section with the type picker open, listing the available authentication types.The Auth section with the type picker open, listing the available authentication types.

Overview of auth types

Type Pro? What it's for
No Auth No authentication is added
Inherit Use the auth configured on the parent collection
Basic Username and password (HTTP Basic)
Bearer Token A single token sent as Authorization: Bearer …
API Key A named key in a header or query parameter
OAuth 1.0a PRO Signed OAuth 1.0a requests
OAuth 2.0 PRO OAuth 2.0 token flows
Digest PRO HTTP Digest access authentication
Hawk PRO Hawk message authentication
JWT PRO Generate and send a JSON Web Token
NTLM PRO Windows NTLM authentication
AWS PRO AWS Signature v4 request signing

The "advanced" auth types — OAuth 1.0a, OAuth 2.0, Digest, Hawk, JWT, NTLM, and AWS (Signature v4) — require HTTPBot Pro. Basic, Bearer Token, and API Key are available to everyone.

All auth fields support {{variable}} substitution, so you can keep secrets and tokens in an environment rather than typing them into each request. See Environments & Variables.

No Auth and Inherit

Basic

HTTP Basic authentication. Enter a username and password; HTTPBot encodes them and sends an Authorization: Basic … header.

Bearer Token

Enter a single token and HTTPBot sends it as Authorization: Bearer <token>. This is the simplest choice when you already have an access token in hand.

API Key

Send a named key as either a header or a query parameter.

OAuth 1.0a PRO

Signs requests using the OAuth 1.0a protocol. Requires HTTPBot Pro. You can configure:

OAuth 2.0 PRO

Full OAuth 2.0 support, including running the token flow for you. Requires HTTPBot Pro. Tap Configure to open the editor, which is split into Configuration, Advanced, and Token sections.

Pick a grant type:

The visible fields change to match the grant type, so you only see what's relevant. Depending on the grant you can set the Auth URL, Access Token URL, Refresh Token URL (defaults to the Access Token URL if left blank), Redirect URI (default <bundle-id>://oauth/callback), Client ID, Client Secret, Scope, and — for the Password grant — a Username and Password.

The Advanced section adds:

Running the flow. For the browser-based grants, Get Access Token opens an in-app browser to complete sign-in and then exchanges the result for a token. Once you have a token, Refresh fetches a new one using the refresh token, and Clear discards the stored token. HTTPBot stores the access and refresh tokens, tracks expiry, and shows the token's remaining validity inline.

Back on the main Auth screen, choose how the token is attached: as an Authorization header (with a configurable prefix, default Bearer) or as an access_token query parameter.

The OAuth 2.0 configuration with the grant-type picker and the token URLs filled in.The OAuth 2.0 configuration with the grant-type picker and the token URLs filled in.The OAuth 2.0 configuration with the grant-type picker and the token URLs filled in.

Digest PRO

HTTP Digest access authentication. Requires HTTPBot Pro. Enter a username, password, realm, nonce, and qop, and choose an algorithm — MD5, MD5-sess, SHA-256, SHA-256-sess, SHA-512-256, or SHA-512-256-sess. You can also supply a nonce count, client nonce, and opaque value when the server requires them.

Hawk PRO

Hawk message authentication. Requires HTTPBot Pro. Configure the Auth ID and Auth Key, the algorithm (SHA-256 or SHA-1), and the optional user, nonce, timestamp, ext, app, and dlg fields. You can also include a payload hash.

JWT PRO

Generate a JSON Web Token and attach it to the request. Requires HTTPBot Pro.

NTLM PRO

Windows NTLM authentication. Requires HTTPBot Pro. Enter a username, password, and optionally a domain and workstation.

AWS PRO

Signs requests with AWS Signature Version 4 (shown as AWS in the type picker). Requires HTTPBot Pro. Provide your Access Key, Secret Key, Region, and Service, plus an optional Session Token for temporary credentials.

Saved Credentials

If you reuse the same credentials across many requests, save them once as a named Saved Credential and apply them anywhere.

Saved Credentials are also available app-wide from Settings → Saved Auth (titled Saved Credentials), so you can manage them outside of a specific request.

Stored on-device only. Saved Credentials are kept in an encrypted on-device store, with the encryption key held in the device's Keychain. They are not synced via iCloud — credentials you save stay on the device where you created them.

The Saved Credentials list with a couple of named entries.The Saved Credentials list with a couple of named entries.The Saved Credentials list with a couple of named entries.

See Settings & Storage for more on app-wide settings.