OAuth2

OAuth2 lets Vegha obtain access tokens for you and attach them to requests automatically. Configure it from the Authorization tab by selecting OAuth2 and choosing a grant type.

Grant types

Grant	Use when
Authorization Code (+ PKCE)	A user must log in interactively; PKCE is used by default for public clients
Client Credentials	A service authenticates as itself with no user involved
Password	You exchange a username and password directly for a token

For the authorization-code flow, Vegha opens your system browser and starts a loopback listener on 127.0.0.1 to receive the redirect. There is no embedded webview.

This design has real advantages:

Real SSO cookies — you reuse sessions you are already signed in to.
Password managers — your browser’s password manager autofills as normal.
MFA — multi-factor prompts, security keys, and passkeys work because login happens in a real browser.

PKCE (Proof Key for Code Exchange) is used by default for public clients, so no client secret is exposed.

Token cache

Issued tokens are cached so you are not prompted to log in for every request. The cache is stored encrypted in the OS keystore:

Platform	Keystore
Windows	Windows Credential Manager
macOS	Keychain
Linux	Secret Service

When a cached token expires, Vegha uses the refresh token to obtain a new one if one is available; otherwise it triggers the login flow again.

Required fields

The fields you must supply depend on the grant type:

Field	Authorization Code	Client Credentials	Password
Authorization URL	Yes	—	—
Token URL	Yes	Yes	Yes
Client ID	Yes	Yes	Yes
Client Secret	Optional (PKCE for public clients)	Yes	Optional
Scopes	Yes	Yes	Yes
Redirect URI	Yes	—	—
Username / Password	—	—	Yes

The redirect URI must point at the loopback address (for example http://127.0.0.1:<port>/callback) and be registered with your identity provider.