API Key
Static key passed via header, query string, or cookie
Request URL
GET
/api-key
Send key in:
Demo Credentials
Header NameX-API-Key
Header Valuerq_demo_key
cURL Examples
curl -H "X-API-Key: rq_demo_key" http://localhost:3000/api-key
curl "http://localhost:3000/api-key?api_key=rq_demo_key&in=query"
curl -b "API_KEY=rq_demo_key" "http://localhost:3000/api-key?in=cookie"
URL Pattern
GET
/api-key/{name}/{value}?in={location}
Your Credentials
Key Name
Key Value
Location
Generated URL
GET
/api-key/myapp/my_secret_key?in=header
Bearer Token
Static opaque token in the Authorization header
Request URL
GET
/bearer-data
Demo Credentials
HeaderAuthorization
PrefixBearer
Tokenrq_static_token
cURL Example
curl -H "Authorization: Bearer rq_static_token" http://localhost:3000/bearer-data
URL Pattern
GET
/bearer?token={expected}
Your Credentials
Token
Generated URL
GET
/bearer?token=my_custom_token
HTTP Basic Auth
Base64-encoded username and password in the Authorization header
Request URL
GET
/basic-data
Demo Credentials
Usernametestuser
Passwordtestpass
cURL Example
curl -u testuser:testpass http://localhost:3000/basic-data
URL Pattern
GET
/basic-auth/{user}/{pass}
Your Credentials
Username
Password
Generated URL
GET
/basic-auth/alice/secret
HTTP Digest Auth
Challenge-response authentication with MD5 or SHA-256 hashes
Request URL
GET
/digest-resource
Demo Credentials
Usernametestuser
Passwordtestpass
Settings
QOPauth / auth-int
AlgorithmsMD5 · MD5-sess · SHA-256 · SHA-256-sess · SHA-512-256 ·
SHA-512-256-sess
cURL Examples
curl --digest -u testuser:testpass http://localhost:3000/digest-resource
curl --digest -u testuser:testpass "http://localhost:3000/digest-resource?algorithm=SHA-256"
curl --digest -u testuser:testpass "http://localhost:3000/digest-resource?algorithm=SHA-512-256"
curl --digest -u testuser:testpass "http://localhost:3000/digest-resource?algorithm=SHA-256-sess"
URL Pattern
GET
/digest-auth/{qop}/{user}/{pass}
Your Credentials
Username
Password
QOP
Algorithm
Generated URL
GET
/digest-auth/auth/alice/secret?algorithm=SHA-256
JWT Bearer
Cryptographically signed JSON Web Token with HS256 or RS256
Algorithm
Request URL
GET
/jwt/validate?algorithm=HS256
Demo Credentials
Signing keyrq-playground-hs256-demo-secret-key-do-not-use-in-production
Token Template
Payload (JSON){"sub":"demo-user","iss":"requestly-playground","aud":"requestly-playground"}
JWT headers (JSON){"alg":"HS256","typ":"JWT"}
Private key is regenerated on every server restart.
How to send the JWT
Add JWT to:
Send as header:
Authorization: Bearer <token>
Send as query param:
?token=<token>
Helper endpoints
Generate a demo token
Get a freshly-signed JWT to test against the Request URL
above.
GET
/jwt/generate?algorithm=HS256
Fetch the signing key
Secret (HMAC) or private key (asymmetric) so your client
can sign its own JWTs.
GET
/jwt/signing-key?algorithm=HS256
cURL Examples
curl -H "Authorization: Bearer <YOUR_TOKEN>" 'http://localhost:3000/jwt/validate?algorithm=HS256'
curl 'http://localhost:3000/jwt/generate?algorithm=HS256'
OAuth 1.0
Signed requests with HMAC, PLAINTEXT, or RSA signature methods
Signature Method
Request URL
GET
/oauth1-resource
Demo Credentials
Consumer KeyRKCGzna7bv9YD57c
Consumer SecretD+EdQ-gs$-%@2Nu7
Access Tokenrq_demo_oauth1_token
Token Secretrq_demo_oauth1_token_secret
RSA private key is regenerated on every server restart.
Settings
Realm
Helper endpoint
Fetch the signing key
Shared secret + token secret (HMAC/PLAINTEXT) or RSA
private key (RSA-*) for your client.
GET
/oauth1/signing-key?method=HMAC-SHA1
OAuth 2.0
Full authorization server with PKCE, refresh tokens, and OIDC userinfo
Grant Type
Deprecated by OAuth 2.1. Use Authorization Code with PKCE for new integrations.
Deprecated by OAuth 2.1. Only for trusted first-party apps.
Request URL
GET
/oauth2-private
Demo Credentials
Client ID (Public)rq_demo_public_client
Client ID (Confidential)rq_demo_confidential_client
Client Secretrq_demo_client_secret
Usernametestuser
Passwordtestpass
Settings
Auth URL/oauth2/authorize
Token URL/oauth2/token
Scoperead
Settings
Token URL/oauth2/token
Scoperead
Helper Endpoints
Authorization
Redirect the user here to grant access to your app.
GET
/oauth2/authorize
Callback
Receives the authorization code after user approval.
GET
/oauth2/callback
Token Exchange
Exchange code/credentials for an access token.
POST
/oauth2/token
User Info
Fetch user profile with a valid access token (OIDC).
GET
/oauth2/userinfo
Introspect Token
Check if a token is active, its scope, and expiry.
POST
/oauth2/introspect
Revoke Token
Invalidate an access or refresh token.
POST
/oauth2/revoke
cURL Example
Hawk Authentication
HMAC-SHA256 message authentication with payload integrity
Algorithm
Request URL
GET
/hawk-resource?algorithm=sha256
Demo Credentials
Hawk Auth IDrq_hawk_id
Hawk Auth Keyrq_hawk_key
URL Pattern
GET
/hawk/{id}/{key}?algorithm={algorithm}
Your Credentials
Hawk ID
Hawk Key
Algorithm
Generated URL
GET
/hawk/my_hawk_id/my_hawk_key?algorithm=sha256