Authentication

Ironcall supports three authentication schemes, configured per request (or inherited from a folder) in the Auth tab: Bearer token, Basic auth, and API Key. OAuth2 is not built in; see the note at the end of this page.

Bearer token

In the Auth tab, select Bearer and enter your token. Ironcall automatically adds the Authorization: Bearer <token> header to the request.

Use a variable to keep the token out of the request definition and reference it from your environment:

{{auth_token}}

Basic auth

Select Basic and enter a username and password. Ironcall Base64-encodes the credentials and injects the Authorization header automatically. The password field supports secret variables.

API Key

Select API Key. Enter a key name and value, then choose whether to send it as a header or a query parameter. Ironcall injects it into every request automatically.

Example: API key sent as a header:

Key	Value
`X-API-Key`	`{{api_key}}`

OAuth2 and token refresh

There is no built-in OAuth2 flow. When you need a short-lived token, fetch it in a pre-script and store it as a variable, then reference that variable with Bearer auth:

// Folder pre-script: obtain a token once and reuse it across requests
if (!ic.env.get("access_token")) {
  // Run a dedicated "login" request earlier in the collection that stores
  // the token via ic.env.set("access_token", ...), then read it here.
  throw new Error("access_token is not set; run the login request first");
}
ic.request.headers["Authorization"] = "Bearer " + ic.env.get("access_token");

A common pattern is a first request in the collection that calls your token endpoint and saves the result with ic.env.set("access_token", ic.response.json().access_token) in its post-script.

Environments & Variables Scripts