Apidog Docs
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
Discord Community
Slack Community
X / Twitter
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
  1. Authentication and Authorization
  • Apidog Learning Center
  • Getting Started
    • Introduction to Apidog
    • Basic Concepts in Apidog
    • Navigating Apidog
    • Quick Start
      • Overview
      • Creating an Endpoint
      • Making a Request
      • Adding an Assertion
      • Creating Test Scenarios
      • Sharing API Documentation
      • Explore More
    • Migration to Apidog
      • Overview
      • Manual Import
      • Scheduled Import (Bind Data Sources)
      • Import Options
      • Export Data
      • Import From
        • Import from Postman
        • Import OpenAPI Spec
        • Import cURL
        • Import Markdowns
        • Import from Insomnia
        • Import from apiDoc
        • Import .har File
        • Import WSDL
  • Design APIs
    • Overview
    • Create a New API Project
    • Endpoint Basics
    • APl Design Guidelines
    • Module
    • Configure Multiple Request Body Examples
    • Components
    • Common Fields
    • Global Parameters
    • Endpoint Change History
    • Comments
    • Batch Endpoint Management
    • Custom Protocol API
    • Schemas
      • Overview
      • Create a New Schema
      • Build a Schema
      • Generate Schemas from JSON Etc
      • oneOf, allOf, anyOf
      • Using Discriminator
    • Security Schemes
      • Overview
      • Create a Security Scheme
      • Use the Security Scheme
      • Security Scheme in Online Documentation
    • Advanced Features
      • Custom Endpoint Fields
      • Associated Test Scenarios
      • Endpoint Status
      • Appearance of Parameter Lists
      • Endpoint Unique Identification
  • Develop and Debug APIs
    • Overview
    • Generating Requests
    • Sending Requests
    • Debugging Cases
    • Test Cases
    • Dynamic Values
    • Validating Responses
    • Design-First vs Request-First
    • Generating Code
    • Environments & Variables
      • Overview
      • Environment Management
      • Using Variables
    • Vault Secrets
      • Overview
      • HashiCorp Vault
      • Azure Key Vault
      • AWS Secrets Manager
    • Pre and Post Processors
      • Assertion
      • Extract Variable
      • Wait
      • Overview
      • Database Operations
        • Overview
        • MySQL
        • MongoDB
        • Redis
        • Oracle Client
      • Using Scripts
        • Overview
        • Pre Processor Scripts
        • Post Processor Scripts
        • Public Scripts
        • Postman Scripts Reference
        • Calling Other Programming Languages
        • Using JS Libraries
        • Visualizing Responses
        • Script Examples
          • Assertion Scripts
          • Using Variables
          • Modifying Requests
          • Other Examples
    • Dynamic Values Modules
  • Mock API Data
    • Overview
    • Smart Mock
    • Custom Mock
    • Mock Priority Sequence
    • Mock Scripts
    • Cloud Mock
    • Self-Hosted Runner Mock
    • Mock Language (Locales)
  • API Testing
    • Overview
    • Test Scenarios
      • Create a Test Scenario
      • Pass Data Between Requests
      • Flow Control Conditions
      • Sync Data from Endpoints and Endpoint Cases
      • Import Endpoints and Endpoint Cases from Other Projects
      • Export Test Scenarios
    • Run Test Scenarios
      • Run a Test Scenario
      • Run Test Scenarios in Batch
      • Manage Runtime Environment of APIs from Other Projects
      • Data-Driven Testing
      • Scheduled Tasks
    • Test Suite
      • Overview
      • Create A Test Suite
      • Orchestrate Test Suite
      • Run Test Suites Locally
      • Run Test Suites Via CLI
      • Scheduled tasks
    • Test Reports
      • Test Reports
    • Test APIs
      • Integration Testing
      • Performance Testing
      • End-to-End Testing
      • Regression Testing
      • Contract Testing
    • Apidog CLI
      • Overview
      • Installing and Running Apidog CLI
      • Apidog CLI Options
    • CI CD
      • Overview
      • Integrate with Gitlab
      • Integrate with Jenkins
      • Trigger Test by Git Commit
      • Integrate with Github Actions
  • Publish API Docs
    • Overview
    • API Technologies Supported
    • Quick Share
    • Viewing API Documentation
    • Markdown Documentation
    • Publishing Documentation Sites
    • Custom Layouts
    • Custom CSS, JavaScript, HTML
    • Custom Domain
    • LLM-Friendly Features
    • SEO Settings
    • Advanced Settings
      • Documentation Search
      • CORS Proxy
      • Integrating Google Analytics with Doc Sites
      • Folder Tree Settings
      • Visibility Settings
      • Embedding Values in Document URLs
    • API Versions
      • Overview
      • Creating API Versions
      • Publishing API Versions
      • Sharing Endpoints with API Versions
  • Send Requests
    • Overview
    • SSE Debugging
    • MCP Client
    • Socket.IO
    • WebSocket
    • Webhook
    • SOAP or WebService
    • GraphQL
    • gRPC
    • Use Request Proxy Agents for Debugging
    • Create Requests
      • Request History
      • Request Basics
      • Parameters and Body
      • Request Headers
      • Request Settings
      • Debug Requests
      • Saving Requests as Endpoints
      • HTTP/2
    • Response and Cookies
      • Viewing API Responses
      • Managing Cookies
      • Overview
    • Authentication and Authorization
      • Overview
      • CA and Client Certificates
      • Authorization Types
      • Digest Auth
      • OAuth 1.0
      • OAuth 2.0
      • Hawk Authentication
      • Kerberos
      • NTLM
      • Akamai EdgeGrid
  • Branches
    • Overview
    • Creating a Sprint Branch
    • Testing APIs in a Branch
    • Designing APIs in a Branch
    • Merging Sprint Branches
    • Managing Sprint Branches
  • AI Features
    • Overview
    • Enabling AI Features
    • Generating Test Cases
    • Modifying Schemas with AI
    • Endpoint Compliance Check
    • API Documentation Completeness Check
    • AI-Powered Field Naming
    • FAQs
  • Apidog MCP Server
    • Overview
    • Connect Apidog Project to AI
    • Connect Published Documentation to AI
    • Connect OpenAPI Files to AI
  • Best Practices
    • Handling API Signatures
    • Accessing OAuth 2.0 Protected APIs
    • Collaboration Workflow
    • Managing Authentication State
  • Offline Space
    • Overview
  • Administration
    • Managing Teams
      • Managing Teams
      • Managing Team Members
      • Member Roles & Permission Settings
      • Team Activities
      • Team Resources
        • General Runner
        • Team Variables
        • Request Proxy Agent
      • Real-time Collaborations
        • Team Collaboration
    • Onboarding Checklist
      • Basic Concepts
      • Onboarding Guide
    • Managing Projects
      • Managing Projects
      • Managing Project Members
      • Notification Settings
      • Project Resources
        • Database Connection
        • Git Connection
    • Managing Organization
      • Managing Organization
      • Single Sign-On (SSO)
        • SSO Overview
        • Configuring Microsoft Entra ID
        • Configuring Okta
        • Configuring SSO for an Organization
        • Managing User Accounts
        • Mapping Groups to Teams
      • SCIM Provisioning
        • Introduction to SCIM Provisioning
        • Microsoft Entra ID
        • Okta
      • Plans Management
        • Billing Managers in Organizations
      • Organization Resources
        • Self-Hosted Runner
  • Billing
    • Overview
    • Credits
    • Alternative Payment Methods
    • Managing Subscriptions
    • Upgrading Your Plan
    • Moving Paid Teams to Organizations
  • Data & Security
    • Data Storage and Security
    • User Data Privacy and Security
    • Request Routing and Data Security
  • Add-ons
    • API Hub
    • Apidog Intellij IDEA Plugin
    • Browser Extension
      • Chrome
      • Microsoft Edge
    • Request Proxy
      • Request Proxy in Web
      • Request Proxy in Shared Docs
      • Request Proxy in Client
  • Account & Preferences
    • Account Settings
    • Generating OpenAPI Access Token
    • Notification
    • Language Settings
    • Hot Keys
    • Network Proxy Configuration
    • Backing Up Data
    • Updating Apidog
    • Deleting Account
    • Experimental Features
  • References
    • API Design-First Approach
    • Apidog OpenAPI Specificaiton Extensions
    • JSONPath
    • XPath
    • Regular Expressions
    • JSON Schema
    • CSV File Format
    • Installing Java Environment
    • Runner Deployment Environment
    • Apidog flavored Markdown
  • Apidog Europe
    • Apidog Europe
  • Support Center
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
HomeLearning Center
Support CenterAPI ReferencesDownloadChangelog
Discord Community
Slack Community
X / Twitter
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
πŸ‡ΊπŸ‡Έ English
  • πŸ‡ΊπŸ‡Έ English
  • πŸ‡―πŸ‡΅ ζ—₯本θͺž
  1. Authentication and Authorization

OAuth 2.0

OAuth 2.0 is a widely-used authorization framework that enables third-party applications to obtain limited access to user accounts on an HTTP service. Apidog can directly generate OAuth 2.0 tokens according to the specification and attach them to requests automatically, eliminating the need to generate tokens in external tools.
OAuth 2.0 Configuration

Authorization Grant Types#

OAuth 2.0 supports multiple authorization grant types, each suited for different use cases. Select the appropriate grant type based on your application's requirements and the API provider's specifications.
Grant TypeUse CaseSecurityWhen to Use
Authorization CodeServer-side web appsHighMost common flow for web applications
Authorization Code (With PKCE)Mobile/SPA appsVery HighEnhanced security for public clients
ImplicitBrowser-based apps (legacy)MediumDeprecated, use PKCE instead
Password CredentialsTrusted first-party appsMediumDirect username/password exchange
Client CredentialsMachine-to-machineHighService-to-service authentication
Grant Type Selection
Choose the grant type that matches your API provider's requirements. Using the wrong grant type will result in authentication failures.

Configuration: Authorization Code#

The Authorization Code flow is the most secure and commonly used OAuth 2.0 flow for web applications.

Required Fields#

FieldDescriptionSource
Auth URLThe authorization endpoint URLAPI provider's OAuth documentation
Access Token URLThe token endpoint URLAPI provider's OAuth documentation
Callback URLYour application's redirect URIYour application (must be registered with provider)
Client IDYour application identifier (App ID)API provider's developer console
Client SecretYour application secret (App Secret)API provider's developer console

Obtaining a Token#

1.
Fill in all required fields in the OAuth 2.0 configuration
2.
Click the Get Token button
3.
A login page will pop up in your browser
4.
Complete the login and authorization process
5.
The login page will automatically close
6.
The token will be automatically obtained and displayed
OAuth 2.0 Token Generation
After successfully obtaining the token, the token content and its validity period will be displayed on the interface. When you click the Run button, the generated token will be automatically attached to the Authorization header with the Bearer prefix.

Token Type Selection#

If the OAuth 2.0 service returns both Access Token and ID Token, Apidog will use the Access Token by default.
Switching Token Types
To use the ID Token instead, select ID Token in the "Token Type Used" option. This is useful when working with OpenID Connect (OIDC) implementations.

Token Refresh#

If Refresh Token is available:
A Refresh Token button will appear
Click it to obtain a new access token without re-authenticating
No login window will pop up
If Refresh Token is not available:
Click the Obtain Token Again button
A login window will pop up for re-authentication

Switching Login Accounts#

OAuth 2.0 login pages typically remember your login status. To change accounts:
1.
Click the Clear Cookies button
2.
Click Obtain Token
3.
Log in with a different account

Advanced Settings#

Click the Advanced option to configure additional OAuth 2.0 parameters. If left blank, they will be generated automatically.
OAuth 2.0 Advanced Settings
SettingDescriptionPurpose
ScopeAuthorization scopeLimits the range of resources to be accessed
StateRandom string parameterPrevents Cross-Site Request Forgery (CSRF) attacks
CredentialsHow to send client credentialsSend as Basic Auth header or Send client credentials in body
Refresh Token URLCustom refresh endpointUse if different from Access Token URL
HTTP Authorization PrefixToken prefix in headerDefault is Bearer, customize if needed
Security Best Practice
Always use the State parameter to prevent CSRF attacks. Apidog generates this automatically if left blank.

FAQs#

What is the official redirect URI used by Apidog for OAuth2.0 authentication?
When setting up OAuth2.0 authentication for your API in Apidog, you may need to register an official redirect URI in your authorization server or client settings. This ensures the OAuth flow can complete successfully and that Apidog can receive the access token after authorization.
βœ… Apidog's Official Redirect URI:
https://oauth.apidog.com/v1/browser-callback
πŸ“Œ When to Use It:
If your API uses the OAuth2.0 Authorization Code Flow, and you are configuring client settings (such as in your OAuth provider or Identity Platform), then you should add this URI to the "Redirect URIs" or "Callback URLs" field.
Modified atΒ 2026-01-22 10:53:56
Previous
OAuth 1.0
Next
Hawk Authentication
Built with