OAuth 2.0 authentication in Bruno
This OAuth 2 implementation is specific to Bruno v2.x.x. If using Bruno v.1.x.x, please see the documentation for that version.
This document describes the new OAuth 2 implementation available in v2.x.x. This new approach simplifies authentication handling compared to the previous version.
Overview
Bruno supports OAuth 2 authentication at both collection and request levels:
- Collection Level: Configure once and share across multiple requests
- Request Level: Configure for specific requests, overriding collection settings if needed
Features & Improvements
- Simplified Configuration: You no longer need to separately configure authorization and resource requests
- Automatic Token Management: No scripting is required to set headers for the resource URL
- Automatic Token Injection: Bruno automatically adds the token to request headers or parameters based on your configuration
- Token Data Access: Access token data using variables:
{{$oauth2.<tokenId>.access_token}}
within the collection - Auto-fetch and Auto-refresh: Bruno can automatically fetch new tokens when needed and refresh tokens when they expire, providing a seamless authentication experience
Auto-fetch and Auto-refresh
Bruno includes two powerful token management features:
- Auto-fetch: Automatically fetches a new token when you try to access a protected resource and don’t have a valid token
- Auto-refresh: Automatically refreshes your token using the refresh URL when it expires
These settings can be configured separately for each OAuth2 implementation and help streamline your API testing workflow by reducing manual token management tasks.

Accessing OAuth2 Tokens in Scripts
You can access OAuth2 tokens in your scripts using the bru.getOauth2CredentialVar()
function.
Syntax
bru.getOauth2CredentialVar('$oauth2.<Token ID>.access_token')