Scrapeman
Download
Docs: Auth Schemes

Overview

Six auth types are built in. Select from the Auth tab in the request builder.

None

No auth headers are sent. This is the default.

Basic

Provide username and password. Scrapeman encodes them as Authorization: Basic <base64(user:pass)> at send time.

Bearer

Provide a token string. Sent as Authorization: Bearer <token>. The token can be a {{var}} reference.

API Key

Provide key, value, and placement (header or query). If placement is header, the key-value pair is injected as a request header. If query, it is appended to the URL as a query parameter.

OAuth 2.0

Three flows ship: client credentials, authorization code, and authorization code + PKCE. Pick from the Flow dropdown in the Auth tab.

Client credentials

Configure:

  • Token URL — the authorization server endpoint
  • Client ID and Client Secret
  • Scope (optional), Audience (optional)

Scrapeman fetches the token automatically before sending the request. Tokens are cached until expiry and refreshed proactively 30 seconds before they run out. Concurrent requests share one in-flight token fetch.

Authorization code / Authorization code + PKCE

Configure:

  • Auth URL, Token URL, Client ID
  • Client Secret — optional for pure PKCE flows
  • Scope, Audience (optional)

Click Get token. Scrapeman opens your default browser to the auth URL, spins up a local loopback server on a random port, and waits for the redirect callback. The redirect URI is always http://127.0.0.1:<port>/callback — register that pattern in your authorization server if it requires an exact match. state and the PKCE code_verifier are validated on callback. PKCE uses S256 for the code challenge.

OIDC discovery

Set the Discovery URL field to a .well-known/openid-configuration endpoint and click Load. Scrapeman reads the document and autofills Token URL, Auth URL, and the supported scopes list.

Token placement

By default the access token is sent as Authorization: Bearer <token>. The accessTokenPlacement field in the .sman file accepts three modes:

  • Header (default) — custom header name and prefix supported.
  • Query — the token is appended as a query parameter.
  • Body — for POST / PUT / PATCH with a form-urlencoded body, the token is added as a form field.

JWT inspector

When the token response contains an access_token or id_token that is a JWT, a collapsible Token Inspector renders below the token management buttons. The inspector decodes the header and payload and shows a live countdown to the exp claim. No signature is verified — the panel is for display only.

AWS Signature v4

Configure:

  • Access Key ID and Secret Access Key
  • Session Token (optional, for temporary credentials)
  • Region (e.g., us-east-1)
  • Service (e.g., s3, execute-api)

Scrapeman signs the request using the aws4 library. The signature covers method, URL, headers, and body.