Authentication
Rostyman supports all major authentication methods. Configure authentication on the Auth tab in the request builder.
Supported Auth Types
| Type | Best For |
|---|---|
| No Auth | Public endpoints |
| Bearer Token | JWT, OAuth 2.0 access tokens |
| Basic Auth | Username + password |
| API Key | API key in header or query param |
| OAuth 2.0 | Modern OAuth flows (Auth Code, Client Credentials, etc.) |
| OAuth 1.0 | Legacy OAuth (Twitter v1, etc.) |
| Digest Auth | Challenge-response HTTP auth |
| NTLM | Windows domain authentication |
| Hawk | HMAC-based request signing |
| AWS Signature v4 | AWS services (S3, API Gateway, etc.) |
| Auth Inheritance | Inherit auth from parent folder/collection |
How Auth is Applied
Authentication is added to the request in the Electron main process before the HTTP call is made. This means:
- No CORS issues with auth headers
- Digest, OAuth 1.0, AWS Signature, and NTLM are computed server-side (main process), not in the browser
- Tokens are stored in memory for the session and not persisted to disk (except where explicitly saved)
Auth Inheritance
Requests and folders can be set to Inherit from Parent to use the authentication configured on their parent. Rostyman walks up the hierarchy:
Request → Folder → Parent Folder → ... → Collection
The first non-inherit auth found in the chain is used. This lets you:
- Set auth once at the collection level for all requests
- Override auth at specific folders (e.g., admin endpoints use API Key, public endpoints use Bearer Token)
- Change auth for a group of requests by updating a single folder or collection
When a request inherits auth, the Auth tab shows a preview of the resolved auth and a link to edit it at the source.
See Auth Inheritance for the full details and examples.