Authentication Types Reference
Complete reference for all authentication methods supported by Nidra.
No Authentication
No authentication headers added.
Configuration: None
Use for: Public APIs, testing without auth
Bearer Token
Token-based authentication (JWT, OAuth access tokens).
Header Added:
Authorization: Bearer {token}
Configuration:
- Token value (string or variable)
Use for: Modern REST APIs, JWT auth, OAuth 2.0 access tokens
Example:
Token: {{accessToken}}
Generates:
Authorization: Bearer eyJhbGc...
Basic Authentication
Username and password authentication.
Header Added:
Authorization: Basic {base64(username:password)}
Configuration:
- Username (string or variable)
- Password (string or variable)
Use for: Legacy APIs, simple auth, development environments
Example:
Username: admin
Password: {{adminPassword}}
Generates:
Authorization: Basic YWRtaW46c2VjcmV0
API Key
Custom API key in header or query parameter.
Header Location
Header Added:
{headerName}: {apiKey}
Configuration:
- Header name (e.g.,
X-API-Key,api-key) - API key value
Example:
Header Name: X-API-Key
Value: {{apiKey}}
Generates:
X-API-Key: abc123xyz789
Query Parameter Location
Query Parameter Added:
?{paramName}={apiKey}
Configuration:
- Parameter name (e.g.,
api_key,key) - API key value
Example:
Param Name: api_key
Value: {{apiKey}}
URL becomes:
https://api.example.com/users?api_key=abc123xyz789
Use for: SaaS APIs, third-party integrations
OAuth 2.0
Full OAuth 2.0 flow support.
Grant Types
Authorization Code
For user-based authentication.
Configuration:
- Authorization URL
- Token URL
- Client ID
- Client Secret
- Redirect URI
- Scope (optional)
- State (optional)
Flow:
- User clicks "Authorize"
- Browser opens authorization URL
- User grants permission
- Callback with authorization code
- Exchange code for access token
- Token used in requests
Use for: User authentication, delegated access
Client Credentials
For server-to-server authentication.
Configuration:
- Token URL
- Client ID
- Client Secret
- Scope (optional)
Flow:
- Request token with credentials
- Receive access token
- Use token in requests
Use for: Backend services, machine-to-machine
Password Grant
Username and password to obtain token.
Configuration:
- Token URL
- Username
- Password
- Client ID (optional)
- Client Secret (optional)
- Scope (optional)
Flow:
- Send credentials to token endpoint
- Receive access token
- Use token in requests
Use for: First-party apps, testing (not recommended for production)
Implicit (Legacy)
Not Recommended: Security vulnerabilities
Token returned directly without code exchange.
Token Management
Nidra handles:
- Token storage
- Automatic refresh (if refresh token provided)
- Token expiration tracking
- Re-authentication prompts
Header Added:
Authorization: Bearer {accessToken}
AWS Signature v4
AWS request signing (advanced).
Configuration:
- Access Key ID
- Secret Access Key
- Region
- Service name
Use for: AWS API Gateway, AWS services
Digest Authentication
Challenge-response authentication.
Configuration:
- Username
- Password
- Realm (auto-detected)
Use for: Legacy systems, HTTP digest auth
NTLM
Windows authentication.
Configuration:
- Username
- Password
- Domain (optional)
Use for: Windows/Active Directory environments
Custom Authentication
For non-standard auth schemes.
Custom Headers
Add any headers manually:
X-Custom-Auth: {{customToken}}
X-Signature: {{computedSignature}}
X-Timestamp: {{timestamp}}
Use for: Proprietary auth schemes, custom protocols
Computed Authentication
Use conduit steps to compute auth values:
- Calculate signature (script step)
- Set as variable
- Use in header
Examples:
- HMAC signatures
- Custom token generation
- Time-based one-time passwords
Authentication Inheritance
Collection Level
Set default auth for all requests in collection:
Collection → Auth → Bearer Token → {{apiToken}}
All requests inherit unless overridden.
Request Level
Override collection auth:
Request → Auth → API Key → Different key
Request-specific auth takes precedence.
Priority
Request Auth > Collection Auth > No Auth
Environment-Specific Authentication
Use environment variables for different credentials:
Development:
apiKey: dev_key_123
username: dev-user
Production:
apiKey: prod_key_xyz
username: prod-user
Request:
Auth Type: API Key
Value: {{apiKey}}
Automatically uses correct credentials per environment.
Best Practices
Security
- Use variables for credentials (never hardcode)
- Mark secrets in environments
- Different credentials per environment
- Rotate credentials regularly
- Minimum required permissions
Organization
- Set collection defaults when possible
- Use environment variables
- Document auth requirements
- Group by auth type
Token Management
- Monitor token expiration
- Set up refresh flows
- Handle 401 responses
- Cache tokens appropriately
Common Patterns
Login Flow
1. POST /auth/login
Body: {username, password}
2. Extract token from response
3. Use token in subsequent requests
Auth: Bearer {{token}}
API Key Rotation
Development: dev_key_v1
Testing: test_key_v1
Production: prod_key_v2
Easy to rotate by updating environment.
Multi-Service Auth
Different auth per collection:
- User Service: OAuth 2.0
- Admin API: API Key
- Public API: None
Troubleshooting
401 Unauthorized
Check:
- Credentials are correct
- Token hasn't expired
- Header name is correct
- Environment is correct
OAuth Fails
- Verify redirect URI
- Check client credentials
- Ensure correct scope
- Review auth server logs
Token Not Applied
- Check auth inheritance
- Verify variable resolution
- Ensure auth tab configured