Authentication Overview

Vegha can attach authentication credentials to your requests automatically. You configure authentication from the Authorization tab, and Vegha applies the credentials when the request is sent.

The Authorization tab

Every request, folder, and collection has an Authorization tab. Choose an auth method from the dropdown and fill in the fields it requires. Vegha computes the necessary headers (or signing) at send time so you do not have to build them by hand.

Supported methods

Vegha supports 14 authentication methods:

Method	Notes
API Key	Sent as a header or query parameter
Bearer	Static or script-supplied bearer token
Basic	Username and password (HTTP Basic)
Digest	HTTP Digest challenge/response
NTLM	Windows-integrated authentication
OAuth1	OAuth 1.0a request signing
OAuth2	Authorization-code (+ PKCE), client-credentials, password grants
AWS SigV4	Signs requests for AWS APIs
WSSE UsernameToken	WS-Security UsernameToken header
mTLS	TLS client certificate for mutual TLS

See the per-method pages for configuration detail:

• API Key, Bearer & Basic
• OAuth2
• mTLS
• AWS SigV4
• Digest, NTLM & other

Where auth is configured

Authentication can be set at three levels:

• Request — applies to a single request.
• Folder — applies to every request inside the folder.
• Collection — applies to every request in the collection.

Inheritance and precedence

Children inherit auth from their parent. When a request, its folder, and its collection all define authentication, the most specific setting wins:

request  overrides  folder  overrides  collection

A request set to Inherit uses the nearest ancestor that defines an auth method. This lets you set credentials once on a collection and let every request reuse them.

Tip

Set shared auth (for example an OAuth2 configuration) on the collection, and only override it on the few requests that need different credentials.

Using variables and secrets in auth fields

Auth field values support {{variable}} interpolation, so you can keep credentials in an environment instead of typing them inline:

Bearer token: {{access_token}}

For sensitive values, use a secret:// URI to reference an external secret manager. These are resolved at send time and never written to your .bru files:

secret://azure-key-vault/prod-api#client-secret

See Secret variables and the Secret managers overview for details.

Local-first

Credentials you type are stored in plain-text .bru files alongside your collection. Use environments and secret:// references to keep secrets out of version control.