Skip to content

Authentication

Jump to bottom
Thiago Miranda edited this page Jun 15, 2026 · 1 revision

Authentication

The AUTH tab applies credentials to a request at send time. Pick a type from the dropdown; the relevant fields appear. Every credential field supports {{variables}} (see Environments and Variables), so you can keep secrets in an environment and reference them here.

Auth types

NO AUTH

The request is sent without any auth header or query parameter.

INHERIT FROM PARENT

The request uses the auth configured on its parent collection/folder. Useful when a whole folder of requests shares one credential.

BEARER TOKEN

  • TOKEN field.
  • Adds Authorization: Bearer <token>.
  • Skipped if the token resolves to empty, or if you already set an Authorization header by hand.

BASIC AUTH

  • USERNAME and PASSWORD fields (password is obscured with a reveal toggle).
  • Adds Authorization: Basic <base64(username:password)> (UTF-8).
  • Skipped only if both username and password are empty after resolution, or if an Authorization header already exists.

API KEY

  • KEY (the header or query-param name), VALUE (the credential), and ADD TO (HEADER or QUERY PARAM).
  • HEADER (default): adds <key>: <value> unless a header with that name already exists.
  • QUERY PARAM: appends <key>=<value> to the query string.
  • Skipped if the key name is empty (the value may be empty).

How conflicts resolve

A header you write yourself in the Building Requests always wins over the auto-generated auth header (matched case-insensitively). This lets you override the exact header when needed.

Variables in credentials

Because every field accepts {{...}}, a common pattern is:

  1. Create an environment (e.g. Production) with token = abc123.
  2. Set Bearer TOKEN to {{token}}.
  3. Switch environments to send the same request with different credentials.

Unknown variables are left verbatim (so a missing {{token}} is visible rather than silently blank).

In generated code

Code Generation reflects your auth choice in the exported snippet (e.g. an Authorization header or a query parameter), keeping {{variables}} un-interpolated so you can substitute them in your own code.

Getman on GitHub · Releases · Live demo · Local-first HTTP client — no account, no cloud, no telemetry.

Getman Wiki

Start here

Core

Variables & automation

More features

Configuration

Project

Clone this wiki locally