Authentication
Rostyman supports all major authentication methods. Configure authentication on the Auth tab in the request builder.
Supported Auth Types
| Type | Best For |
|---|---|
| No Auth | Public endpoints |
| Bearer Token | JWT, OAuth 2.0 access tokens |
| Basic Auth | Username + password |
| API Key | API key in header or query param |
| OAuth 2.0 | Modern OAuth flows (Auth Code, Client Credentials, etc.) |
| OAuth 1.0 | Legacy OAuth (Twitter v1, etc.) |
| Digest Auth | Challenge-response HTTP auth |
| AWS Signature v4 | AWS services (S3, API Gateway, etc.) |
| NTLM | Windows / on-prem (SharePoint, IIS, Exchange) |
| Hawk | HMAC-based request signing |
| JWT Bearer | Sign a JWT (HS/RS/ES/PS) and send as Bearer |
| Akamai EdgeGrid | Akamai API signing (EG1-HMAC-SHA256) |
| ASAP | Atlassian service-to-service (signed JWT) |
| Auth Inheritance | Inherit auth from parent folder/collection |
How Auth is Applied
Authentication is added to the request in the Electron main process before the HTTP call is made. This means:
- No CORS issues with auth headers
- Digest, OAuth 1.0, and AWS Signature are computed server-side (main process), not in the browser
- Tokens are stored in memory for the session and not persisted to disk (except where explicitly saved)
Auth Inheritance
Requests and folders can be set to Inherit from Parent to use the authentication configured on their parent. Rostyman walks up the hierarchy:
Request → Folder → Parent Folder → ... → Collection
The first non-inherit auth found in the chain is used. This lets you:
- Set auth once at the collection level for all requests
- Override auth at specific folders (e.g., admin endpoints use API Key, public endpoints use Bearer Token)
- Change auth for a group of requests by updating a single folder or collection
When a request inherits auth, the Auth tab shows a preview of the resolved auth and a link to edit it at the source.
See Auth Inheritance for the full details and examples.