OAuth 2.0 Authentication

Overview

Request Man provides comprehensive OAuth 2.0 support with automatic token fetching, intelligent caching, and seamless token refresh. No manual token management required!

Key Features

Automatic Token Fetching

Request Man fetches OAuth tokens automatically before each request. No manual token entry needed.

Smart Token Caching

Tokens are cached after first fetch. Subsequent requests reuse cached tokens for better performance.

Auto Token Refresh

Tokens automatically refresh 60 seconds before expiry. Never worry about expired tokens mid-request.

Multi-Level Config

Configure OAuth at collection, folder, or request level. Inherit or override as needed.

Supported Grant Types

Supported Client Credentials

Perfect for server-to-server authentication where the application itself needs access.

Grant Type: client_credentials
Required: Token URL, Client ID, Client Secret
Optional: Scope

Supported Password Grant

Direct username/password exchange. Useful for trusted first-party applications.

Grant Type: password
Required: Token URL, Client ID, Client Secret, Username, Password
Optional: Scope

Coming Soon Authorization Code

Standard web application flow with browser redirect. Coming in the next release!

Coming Soon Implicit Flow

Browser-based flow for single-page applications. Coming soon!

Setting Up OAuth 2.0

At Request Level

Open Authorization Tab

In the request builder, click the "Authorization" tab.

Select OAuth 2.0

Choose "OAuth 2.0" from the Type dropdown.

Choose Grant Type

Select either "Client Credentials" or "Password" grant type.

Fill in Configuration

Enter your OAuth provider details:

Token URL: https://auth.example.com/oauth/token
Client ID: Your application's client ID
Client Secret: Your application's client secret
Scope: (Optional) Space-separated permissions

Send Request

Click "Send". Request Man will fetch the token automatically!

At Collection Level

Set OAuth 2.0 once for an entire collection:

Right-click Collection

In the collections sidebar, right-click your collection.

Select "Authorization"

Choose "Authorization" from the context menu.

Configure OAuth 2.0

Set up OAuth 2.0 as described above.

Save

All requests in the collection will now use OAuth 2.0!

Inheritance: Requests inherit collection/folder auth settings but can override them individually.

Client Authentication

Request Man supports two methods for sending client credentials:

Send in Body (Default)

Client ID and Secret sent as form parameters:

POST /oauth/token
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&client_id=your_client_id
&client_secret=your_client_secret
&scope=read write

Send as Basic Auth Header

Client ID and Secret sent in Authorization header:

POST /oauth/token
Authorization: Basic base64(client_id:client_secret)
Content-Type: application/x-www-form-urlencoded

grant_type=client_credentials
&scope=read write

Using Variables

Use environment variables in OAuth 2.0 configuration for easy environment switching:

Configuration with Variables

Token URL: {{authServerUrl}}/oauth/token
Client ID: {{oauth_client_id}}
Client Secret: {{oauth_client_secret}}
Scope: {{oauth_scope}}

Environment Setup

Create separate environments for dev, staging, and production:

// Development Environment
{
  "authServerUrl": "https://dev-auth.example.com",
  "oauth_client_id": "dev_client_id",
  "oauth_client_secret": "dev_secret",
  "oauth_scope": "read write"
}

// Production Environment
{
  "authServerUrl": "https://auth.example.com",
  "oauth_client_id": "prod_client_id",
  "oauth_client_secret": "prod_secret",
  "oauth_scope": "read"
}

Security Tip: Never commit client secrets to version control. Use local environment variables for sensitive data.

Token Caching

How Caching Works

First Request

Request Man fetches a new token from the OAuth server.

🔐 Fetching OAuth 2.0 token...
✅ OAuth 2.0 token obtained (expires in 3600s)

Token Cached

Token is stored with expiry time.

Subsequent Requests

Cached token is reused for better performance.

✅ Using cached OAuth 2.0 token

Auto Refresh

Token refreshes 60 seconds before expiry.

🔄 Refreshing OAuth 2.0 token (expiring soon)...
✅ OAuth 2.0 token refreshed

Cache Key

Tokens are cached by configuration:

Token URL
Client ID
Grant Type
Username (for password grant)

Different configurations get separate cache entries.

Clearing Cache

To force a new token fetch:

Restart Request Man
Change any OAuth configuration parameter
Wait for token to expire naturally

Common OAuth Providers

Google OAuth 2.0

Token URL: https://oauth2.googleapis.com/token
Scope: https://www.googleapis.com/auth/userinfo.email

Microsoft Azure AD

Token URL: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Scope: https://graph.microsoft.com/.default

GitHub

Token URL: https://github.com/login/oauth/access_token
Scope: repo user

Auth0

Token URL: https://{domain}/oauth/token
Audience: https://api.example.com
Scope: read:users write:users

Okta

Token URL: https://{domain}/oauth2/default/v1/token
Scope: openid profile email

Troubleshooting

Token Not Working

Error: "Invalid token" or "Unauthorized"

Solutions:

Verify Token URL is correct
Check Client ID and Secret are valid
Ensure grant type is supported by your OAuth server
Verify scope permissions are correct
Check console for detailed error messages

Token Not Caching

Issue: New token fetched every request

Solutions:

Verify server returns expires_in field
Check if token response is valid JSON
Ensure configuration remains consistent

Variables Not Resolving

Issue: {{variable}} not replaced

Solutions:

Check variable name spelling (case-sensitive)
Verify variable exists in active environment
Make sure environment is selected

CORS Errors

Error: "CORS policy blocked"

Solution: This shouldn't happen in Request Man (desktop app), but if it does:

Ensure you're using the desktop app, not web version
Restart Request Man
Check if OAuth server allows requests from desktop apps

Best Practices

1. Use Environment Variables

Store all OAuth config in environment variables for easy environment switching.

2. Protect Secrets

Never commit client secrets. Use local-only environment variables.

3. Configure at Collection Level

Set OAuth once for entire collection instead of per-request.

4. Minimize Scope

Request only required permissions. Use specific scopes.

5. Monitor Console

Watch console logs to verify token fetching and caching.

6. Test Thoroughly

Test OAuth flow in all environments before production use.

Complete Example

Scenario: Testing a User API with OAuth 2.0

Step 1: Environment Setup

{
  "name": "Production",
  "variables": {
    "baseUrl": "https://api.example.com",
    "authUrl": "https://auth.example.com",
    "clientId": "prod_client_123",
    "clientSecret": "super_secret_key",
    "scope": "users:read users:write"
  }
}

Step 2: Collection OAuth Configuration

Type: OAuth 2.0
Grant Type: Client Credentials
Token URL: {{authUrl}}/oauth/token
Client ID: {{clientId}}
Client Secret: {{clientSecret}}
Scope: {{scope}}
Client Auth: Send in Body

Step 3: Create Requests

// Get All Users
GET {{baseUrl}}/api/users
Authorization: Inherit from collection

// Get User by ID
GET {{baseUrl}}/api/users/{{userId}}
Authorization: Inherit from collection

// Create User
POST {{baseUrl}}/api/users
Authorization: Inherit from collection
Body: {
  "name": "John Doe",
  "email": "john@example.com"
}

Step 4: Send Requests

Request Man will:

Fetch OAuth token automatically
Cache the token
Add Authorization header to each request
Refresh token before expiry