Authentication helpers
Configure authentication per request without hand-rolling headers or signatures. API Stash handles the mechanics — including token refresh and request signing.
Supported schemes
Set the auth scheme on any request and fill in the fields; API Stash applies the right headers (or signature) when the request is sent:
- Basic — username and password, encoded into the
Authorizationheader. - Bearer — a static token sent as
Authorization: Bearer <token>. - OAuth 2.0 — full authorization flows with automatic token refresh (details below).
- AWS SigV4 — signs requests with your access key, secret, region, and service.
- HTTP Digest — challenge/response digest authentication.
OAuth 2.0
For OAuth 2.0, enter your authorization and token endpoints, client credentials, and scopes, then initiate the flow from the request's auth panel. API Stash walks the grant, obtains the access token, and uses it for the request.
Tokens are cached per user and encrypted. When an access token nears expiry, API Stash auto-refreshes it using the refresh token in the background, so you rarely have to re-authorize. Because the cache is per user, your tokens are never shared with teammates — everyone authorizes with their own identity.
AWS SigV4 & Digest
AWS SigV4 computes the signature from your credentials and the request contents at send time, so it always matches the exact request being sent. HTTP Digest performs the challenge/response handshake automatically. In both cases you only supply the credentials — store them as secrets to keep them encrypted.