Authorization

Testfully supports various Authorization schemes including but not limited to OAut2, Basic Authentication, API Key, and Bearer Token. This page includes everything you need to leverage this feature.

Authorization Schemes

Various Authorization schemes and their support status.

SchemeStatus
OAuth 2
Supported
Basic Authentication
Supported
Bearer Token
Supported
API Key
Supported
AWS Signature
Supported
OAuth 1.0
Supported
Akamai EdgeGrid
Supported
NTLM
Supported

Authorization Settings

Authorization settings can be applied to a request, an environment, or a folder.

Requests

To configure authorization settings for a request, open a request and click on the Authorization tab.

Environments
Lite Plan

Environments can be configured to have an authorization scheme. Requests that are executed against a particular environment inherit the environment's authorization settings. Requests with a configured Authorization scheme won't inherit the scheme from the parent environment.

To configure authorization for an environment:

  1. Open the environment
  2. Click on the Authorization tab
  3. Set the desired scheme
  4. Click on Save

Folders

Requests without Authorization settings inherit authorization settings of their parent folder. Requests with a configured Authorization scheme won't inherit the scheme from the parent folder.

To configure authorization for a folder:

  1. Hover over the folder, and click on the "..." button
  2. Click on the Authorization tab
  3. Set the desired scheme
  4. Click on Save

Using globals & environment variables

Most input fields within Authorization settings accept global and environment variables. To embed a global or an environment variable, simply type {{variable_name}}.

Demo

In this demo, we will go through the process of using Testfully's authorization feature to authorize an API call.

Authorization types supported by Testfully

No Auth

Select No Auth from the Authorization tab's Method dropdown list if your request doesn't require authorization. Testfully will not send any authorization details with the request.

Basic Auth

Basic authentication involves sending a verified username and password with your request.

  1. Select Basic Auth: From the Authorization tab, choose Basic Auth from the Method dropdown list.
  2. Enter Credentials: Input your API username and password in the Username and Password fields.
  3. Specify Header Name: The header name is typically Authorization.
  4. Specify Prefix: The prefix is typically Basic.

In the request headers, the Authorization header will pass a Base64 encoded string representing your username and password values, appended to the text Basic as follows:

Basic <Base64 encoded username and password>

Bearer Token

Bearer tokens enable requests to authenticate using an access key, such as a JSON Web Token (JWT).

  1. Select Bearer Token: From the Authorization tab, choose Bearer Token from the Method dropdown list.
  2. Enter Token: Input your API key value in the Token field.
  3. Specify Header Name: The header name is typically Authorization.
  4. Specify Prefix: The prefix is typically Bearer.

Testfully will append the token value to the text Bearer in the required format to the request Authorization header as follows:

Bearer <Your API key>

API Key

With API key authorization, you send a key-value pair to the API either in the request headers or query parameters.

  1. Select API Key: From the Authorization tab, choose API Key from the Method dropdown list.
  2. Enter Key and Value: Input your API key value.
  3. Specify Field Name: Enter the field name for the API key.
  4. Specify Location: Select either Request Headers or Query String from the Section dropdown list.

Testfully will append the relevant information to your request headers or the URL query string.

OAuth 2.0

OAuth 2.0 is an authorization framework that enables applications to obtain limited access to user accounts on an HTTP service.

  1. Select OAuth 2.0: From the Authorization tab, choose OAuth 2.0 from the Method dropdown list.
  2. Configure OAuth 2.0: Provide the necessary details such as provider, grant type, token refresh policy, and URLs for callback, authorization, and access token.
  3. Enter Client Details: Provide the client ID, client secret, and any other required details such as scope and audience.

AWS Signature Version 4 Authorization

AWS Signature Version 4 (AWS SigV4) is at the forefront of securing and authenticating API requests across AWS services. This method signs requests with a set of credentials that includes an Access Key ID and Secret Access Key, as well as an optional Session Token. This process ensures your API calls are secure, authenticated, and free from unauthorized access or alteration.

Using AWS Signature V4 in Testfully

To use AWS Signature V4 in Testfully, you must provide particular information that allows the secure signing of your API requests. Here's an outline of each required and optional field:

  • Access Key ID: Your AWS account's unique identifier, which is used to identify you as the sender of the request.
  • Secret Access Key: A secret associated with the Access Key ID, used to encrypt your request signature.
  • AWS Region: The region where your AWS request is being sent. This must be specified in lowercase, such as us-west-2.
  • AWS Service Name: The name of the AWS service you are accessing, also in lowercase, e.g., s3.
  • Session Token (Optional): Required only for temporary credentials that typically come from the AWS Security Token Service (STS).
  • Auth Data Placement: Specifies where the authentication data will be placed in the request. Depending on the API's requirements, this could be in the header or as a query parameter.

You can set up AWS Signature V4 in Testfully for a request, an environment, or a folder. The process is similar to setting up other authorization schemes, as outlined in the previous section.

Best Practices

When configuring AWS Signature V4 in Testfully, consider the following best practices:

  • Use Variables for Sensitive Information: Always use variables for fields like Access Key ID and Secret Access Key. This secures your tests and simplifies the process of updating credentials.
  • Session Token Is Optional: Only include the Session Token if you are using temporary credentials. For long-term credentials, this field can be omitted.
  • Validity of Region and Service Name: Ensure the AWS Region and Service Name are correct and lowercase. Incorrect values can result in failed API requests.
Next
Getting started