Authorization Types
Functional Testing supports several types of authorization
No Auth
Use this option to explicitly remove the assigned authentication type for a request.
No credentials are sent.
Useful for public endpoints or when authentication is handled elsewhere.
Bearer Token
Use a bearer token (such as a JWT) to authenticate requests. Tokens are masked where appropriate.
The token is sent in the
Authorizationheader.Format:
Authorization: Bearer <token>
Basic Auth
Use a username and password combination.
Credentials are encoded and sent in the
Authorizationheader.Format:
Authorization: Basic <base64(username:password)>
OAuth 2.0 Client Credentials
Use the Client Credentials grant type when your API requires server-to-server authentication, such as accessing internal services or third-party APIs from automated test pipelines. The application authenticates directly using its own credentials, without redirecting the user to a login page.
The token is retrieved from the authorization server using your client credentials. The access token is sent in the Authorization header. Format: Authorization: <prefix> <access_token> Tokens are automatically refreshed before expiration in all run contexts, including CI/CD pipelines - no manual token sync required.
To configure OAuth 2.0 Client Credentials, provide the following:
Token URL -The token endpoint URL of your authorization server (e.g., https://auth.example.com/oauth/token).
Client ID - The client identifier registered with your authorization server.
Client secret - The client secret associated with your Client ID.
Scope - A space-separated list of permissions to request from the authorization server (e.g., read:api write:api). Leave empty if your authorization server does not require a scope.
Header Prefix (optional) - The prefix used in the Authorization header. Defaults to Bearer. Change this only if your authorization server requires a different prefix (e.g., token).
Note
OAuth 2.0 Client Credentials profiles are fully supported in private environments. If your authorization server is not publicly accessible, use Reflect Tunnel to route token requests through your local network.