Skip to main content

Advanced auth types

These five types round out parity with Postman. Each is computed in the Electron main process (and identically in rosty-cli), so they work without CORS limitations and behave the same in CI as in the app. All field values support {{variables}}.

NTLM

NTLM (NT LAN Manager) is Windows domain authentication, common with on-prem Microsoft services (SharePoint, IIS, Exchange).

Fields: Username, Password, Domain (optional), Workstation (optional).

Rostyman performs the full NTLMv2 three-message handshake (Type 1 negotiate → Type 2 challenge → Type 3 authenticate) over a single kept-alive connection, exactly as a browser or Windows client would.

Hawk

Hawk is an HMAC-based scheme that signs each request with a shared key.

Fields: Auth ID, Auth Key, Algorithm (sha256 / sha1), and optional User, Nonce, and Ext.

Rostyman computes the Authorization: Hawk id="…", ts="…", nonce="…", mac="…" header per request (nonce auto-generated when blank).

JWT Bearer

Signs a JSON Web Token from your own claims and sends it.

Fields: Algorithm (HS256/384/512, RS256/384/512, ES256/384/512, PS256/384/512), Secret (HS) or Private Key (RS/ES/PS), "Secret is Base64 encoded" toggle, Payload (claims JSON), and where to add the token — a header (with a configurable prefix, default Bearer ) or the query string (with a configurable param key, default token).

Akamai EdgeGrid

Signs requests for Akamai's {OPEN} APIs.

Fields: Access Token, Client Token, Client Secret, and optional Headers to Sign.

Rostyman builds the Authorization: EG1-HMAC-SHA256 …;signature=… header, deriving the signing key from the client secret and timestamp and hashing the request (including the POST body) per the EdgeGrid spec.

ASAP (Atlassian)

ASAP is Atlassian's service-to-service auth — a signed JWT with prescribed claims.

Fields: Algorithm (default RS256), Key ID (kid), Issuer (iss), Audience (aud), Subject (optional), Private Key, and optional extra Claims.

Rostyman builds the JWT with iss/aud/iat/exp/jti (plus sub and your extra claims), signs it with your private key, and sends it as Authorization: Bearer ….

note

All five run identically in rosty-cli, and importing a Postman collection that uses any of them maps the fields automatically.