OAuth 2.0
Rostyman supports all major OAuth 2.0 grant types. Once a token is obtained, it is applied to the request automatically.
Grant Types
Authorization Code
Opens a real browser window for the OAuth consent screen. The authorization code is captured automatically after the redirect.
Required fields:
- Auth URL
- Token URL
- Client ID
- Client Secret
- Redirect URI
- Scope (optional)
Authorization Code with PKCE
Same as Authorization Code but generates a code verifier/challenge pair automatically. Use this for public clients (mobile apps, SPAs) that cannot securely store a client secret.
Additional field:
- PKCE is enabled automatically — no extra config needed
Client Credentials
Server-to-server authentication. No browser window needed.
Required fields:
- Token URL
- Client ID
- Client Secret
- Scope (optional)
Password Credentials
Direct username + password exchange for a token. Use only with fully trusted clients.
Required fields:
- Token URL
- Client ID
- Client Secret
- Username
- Password
Implicit (Legacy)
Legacy flow for SPAs — access token returned directly in the redirect URL fragment. Not recommended for new implementations.
Getting a Token
- Configure the grant type and fill in the required fields
- Click Get Token
- For Authorization Code flows, a browser window opens — log in and grant access
- The token is populated automatically
- Click Use Token (or it is applied automatically)
Token Storage
Tokens are stored in the tab's session state. They persist across app restarts (session is saved automatically) but are not shared between tabs.
Refresh Tokens
For Authorization Code flows, if a refresh token is returned, Rostyman stores it and uses it to obtain a new access token automatically when the current one expires.