Authentication
Most real-world APIs require you to prove who you are before they'll respond. HTTPBot's Auth section lets you pick an authentication type and fill in its details; HTTPBot then adds the right headers, query parameters, or signatures to your request automatically when you tap Send.
You choose the type from the picker at the top of the Auth section. The fields below it change to match the type you pick.



Overview of auth types
| Type | Pro? | What it's for |
|---|---|---|
| No Auth | — | No authentication is added |
| Inherit | — | Use the auth configured on the parent collection |
| Basic | — | Username and password (HTTP Basic) |
| Bearer Token | — | A single token sent as Authorization: Bearer … |
| API Key | — | A named key in a header or query parameter |
| OAuth 1.0a | PRO | Signed OAuth 1.0a requests |
| OAuth 2.0 | PRO | OAuth 2.0 token flows |
| Digest | PRO | HTTP Digest access authentication |
| Hawk | PRO | Hawk message authentication |
| JWT | PRO | Generate and send a JSON Web Token |
| NTLM | PRO | Windows NTLM authentication |
| AWS | PRO | AWS Signature v4 request signing |
The "advanced" auth types — OAuth 1.0a, OAuth 2.0, Digest, Hawk, JWT, NTLM, and AWS (Signature v4) — require HTTPBot Pro. Basic, Bearer Token, and API Key are available to everyone.
All auth fields support {{variable}} substitution, so you can keep secrets and
tokens in an environment rather than typing them into each request. See
Environments & Variables.
No Auth and Inherit
- No Auth adds nothing — use it for open endpoints or when you're providing credentials yourself via the Headers section.
- Inherit is available on requests that live inside a collection. It tells the request to use whatever authentication is configured on its parent collection, so you can set credentials once at the collection level and have every request reuse them. See Collections.
Basic
HTTP Basic authentication. Enter a username and password; HTTPBot encodes
them and sends an Authorization: Basic … header.
Bearer Token
Enter a single token and HTTPBot sends it as Authorization: Bearer <token>.
This is the simplest choice when you already have an access token in hand.
API Key
Send a named key as either a header or a query parameter.
- Key — the name of the key, e.g.
X-API-Key,api_key,Authorization,access_token,client_id, orapi_token. You can also enter a custom name. - Value — the key's value.
- Add to — choose whether HTTPBot places it in the request header or the query string.
OAuth 1.0a PRO
Signs requests using the OAuth 1.0a protocol. Requires HTTPBot Pro. You can configure:
- Consumer Key and Consumer Secret
- Token and Token Secret
- Signature Method — HMAC-SHA1, HMAC-SHA256, HMAC-SHA512, RSA-SHA1, RSA-SHA256, RSA-SHA512, or PLAINTEXT (RSA methods use a private key)
- Realm, Verifier, and Callback
- Timestamp and Nonce — generated automatically if you leave them blank —
and Version (defaults to
1.0) - Whether to include a body hash in the signature
- Whether the OAuth data is sent as a header or as query parameters
- Whether to encode the signature and whether to include empty parameters in the signature base string
OAuth 2.0 PRO
Full OAuth 2.0 support, including running the token flow for you. Requires HTTPBot Pro. Tap Configure to open the editor, which is split into Configuration, Advanced, and Token sections.
Pick a grant type:
- Authorization Code — the standard browser-based flow; supports PKCE.
- Implicit — token returned directly from the authorization endpoint.
- Password Credentials — exchange a username and password for a token.
- Client Credentials — machine-to-machine, no user involved.
- Manual — paste a token you already have; no flow is run.
The visible fields change to match the grant type, so you only see what's
relevant. Depending on the grant you can set the Auth URL, Access Token
URL, Refresh Token URL (defaults to the Access Token URL if left blank),
Redirect URI (default <bundle-id>://oauth/callback), Client ID,
Client Secret, Scope, and — for the Password grant — a Username and
Password.
The Advanced section adds:
- Use PKCE (Authorization Code only) with a PKCE Method of SHA-256 (the default) or Plain.
- State — auto-generated for you, but you can pin a fixed value.
- Client Authentication — send the client credentials as a Basic Auth Header or in the Request Body.
- Auth URL Params and Token Request Params — key/value editors for any extra parameters a non-standard identity provider expects on the authorization or token request.
Running the flow. For the browser-based grants, Get Access Token opens an in-app browser to complete sign-in and then exchanges the result for a token. Once you have a token, Refresh fetches a new one using the refresh token, and Clear discards the stored token. HTTPBot stores the access and refresh tokens, tracks expiry, and shows the token's remaining validity inline.
Back on the main Auth screen, choose how the token is attached: as an
Authorization header (with a configurable prefix, default Bearer) or as an
access_token query parameter.



Digest PRO
HTTP Digest access authentication. Requires HTTPBot Pro. Enter a username, password, realm, nonce, and qop, and choose an algorithm — MD5, MD5-sess, SHA-256, SHA-256-sess, SHA-512-256, or SHA-512-256-sess. You can also supply a nonce count, client nonce, and opaque value when the server requires them.
Hawk PRO
Hawk message authentication. Requires HTTPBot Pro. Configure the Auth ID and Auth Key, the algorithm (SHA-256 or SHA-1), and the optional user, nonce, timestamp, ext, app, and dlg fields. You can also include a payload hash.
JWT PRO
Generate a JSON Web Token and attach it to the request. Requires HTTPBot Pro.
- Header and Payload — JSON for the token's header and claims.
- Algorithm — HS256/384/512, RS256/384/512, PS256/384/512, or ES256/384/512.
- Secret (for HS algorithms) or Private Key (for the asymmetric algorithms). For HS algorithms you can mark the secret as Base64-encoded.
- Deliver as — send the token in a header with a prefix (default
Bearer) or as a query parameter (default keytoken).
NTLM PRO
Windows NTLM authentication. Requires HTTPBot Pro. Enter a username, password, and optionally a domain and workstation.
AWS PRO
Signs requests with AWS Signature Version 4 (shown as AWS in the type picker). Requires HTTPBot Pro. Provide your Access Key, Secret Key, Region, and Service, plus an optional Session Token for temporary credentials.
Saved Credentials
If you reuse the same credentials across many requests, save them once as a named Saved Credential and apply them anywhere.
- From the Auth section's
…menu, choose Manage Credentials to open the Saved Credentials list. Tap + to create a new one: give it a name, pick a type, and fill in the details. - To apply a saved credential to the request you're editing, pick it from the same Auth menu, or open the Saved Credentials list and tap the credential — it's applied to the request and the list closes.
- To edit, rename, or delete a saved credential, long-press its row and choose from the context menu. From Settings → Saved Auth (below), tapping a row opens it for editing directly.
Saved Credentials are also available app-wide from Settings → Saved Auth (titled Saved Credentials), so you can manage them outside of a specific request.
Stored on-device only. Saved Credentials are kept in an encrypted on-device store, with the encryption key held in the device's Keychain. They are not synced via iCloud — credentials you save stay on the device where you created them.



See Settings & Storage for more on app-wide settings.