Credentials
Learn about proxy and target credentials, how to create and manage them
Credentials
RequestRocket has two types of credentials that work together to secure your API traffic.
Understanding Credential Types
Proxy Credentials
Proxy credentials are used by your application to authenticate with RequestRocket's proxy service. These credentials ensure that only authorized applications can access your proxy endpoints.
When you create a proxy, you'll need to associate it with a proxy credential. This determines how your application authenticates with RequestRocket.
Target Credentials
Target credentials are used by RequestRocket to authenticate with your target APIs or services. These credentials are securely stored and used when RequestRocket forwards requests to your target endpoints.
When RequestRocket makes requests to your target API, it uses the target credential to authenticate, so your target API sees properly authenticated requests.
Think of it this way: Proxy credentials protect RequestRocket from unauthorized access, while target credentials allow RequestRocket to access protected APIs on your behalf.
Important: Once created, credential secrets cannot be viewed or edited for security reasons. Make sure to save any necessary information before saving the credential.
Supported Authentication Types
We support the creation of credentials for the following authentication types.
API Key
Used for services that require an API key in headers.
Available for: Proxy and Target credentials
Example usage:
GET /api/resource HTTP/1.1
X-API-Key: your-api-key-hereBearer Token
OAuth 2.0 bearer token authentication.
Available for: Proxy and Target credentials
Example usage:
GET /api/resource HTTP/1.1
Authorization: Bearer your-token-hereOptional prefix: You can configure an optional prefix (e.g., Bearer , Token , or custom prefix)
JWT (JSON Web Token)
Custom JWT authentication where you provide the token.
Available for: Proxy and Target credentials
Example usage:
GET /api/resource HTTP/1.1
Authorization: your-jwt-token-hereJWT Verify
Cryptographic JWT verification for inbound requests. RequestRocket verifies the JWT signature against public keys from a JWKS endpoint (or a shared secret for HS256), rather than comparing a static token string. Designed for AI agents and service identities issued short-lived credentials by SPIFFE/SPIRE, Auth0, Okta, Cognito, Azure AD, or any standard JWT issuer.
Available for: Proxy credentials only
Example usage:
GET /api/resource HTTP/1.1
Authorization: Bearer eyJhbGciOiJSUzI1NiIsInR5...How it works: On first use, RequestRocket fetches public keys from your JWKS endpoint and caches them on the credential record. Subsequent requests with the same token are approved from cache without cryptographic re-verification. When a new token is presented (e.g. after SPIRE rotation), full verification runs again.
Required fields:
algorithms— Signing algorithms to accept (e.g.["RS256"],["ES256"],["HS256"])
Signing source (exactly one required):
jwksUri— JWKS or SPIFFE trust bundle URL (for RS256/ES256)sharedSecret— Shared secret string (for HS256)
Optional claim matching (only validated when provided):
issuer— Expectedissclaim (e.g.spiffe://acmecorp.com). If omitted, any issuer is accepted.audience— One or more expectedaudvalues (e.g.https://global.requestrocket.net). The token is accepted if at least one value matches. If omitted, audience is not checked.subject— Expectedsubclaim; supports wildcard suffix (e.g.spiffe://acmecorp.com/agents/*). If omitted, any subject is accepted.
Other optional fields:
clockSkewSeconds— Tolerance for clock drift (default: 30)jwksRefreshHint— Override JWKS cache TTL in seconds (default: derived from bundle or 3600)failPolicy— Behaviour when JWKS endpoint is unreachable:fail-closed(default, safest) orfail-open(serve from stale cache)requiredClaims— Additional claims to validate beyond sub/iss/aud
JWT Verify uses a two-tier cache: first a fast string comparison against the last verified token, then full cryptographic verification when the token changes. This minimises latency on the hot path while remaining secure.
Azure App / Graph API Guidance
Azure Active Directory (Microsoft Entra ID) issues different token types depending on which resource you request. This distinction is critical when configuring a JWT Verify credential.
Microsoft Graph tokens cannot be verified with JWT Verify. If your token's aud claim is 00000003-0000-0000-c000-000000000000 (the Microsoft Graph resource ID), the token is an opaque credential intended only for the Graph API. Microsoft does not guarantee that these tokens are standard JWTs and they cannot be validated by third parties using JWKS — signature verification will fail even if the key is correct.
Similarly, tokens containing a nonce field in the JWT header are Continuous Access Evaluation (CAE) tokens, which also cannot be validated with standard JWT libraries.
Getting the right token
To issue tokens that are validatable by JWT Verify, you must request a token scoped to your own application, not to Microsoft Graph.
Change the scope parameter in your token request from .default to api://<your-client-id>/.default:
curl --location 'https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials' \
--data-urlencode 'client_id=<your-client-id>' \
--data-urlencode 'client_secret=<your-client-secret>' \
--data-urlencode 'scope=api://<your-client-id>/.default'Using scope=.default with no resource prefix defaults to Microsoft Graph, which produces an unverifiable token. Prefixing with api://<your-client-id> targets your own application and produces a token you can verify.
Token version and JWKS URI
Azure AD issues either v1.0 or v2.0 tokens. You can determine which version you have by inspecting the iss claim:
iss prefix | Token version | Correct JWKS URI |
|---|---|---|
https://sts.windows.net/ | v1.0 | https://login.microsoftonline.com/<tenant-id>/discovery/keys |
https://login.microsoftonline.com/<tenant-id>/v2.0 | v2.0 | https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys |
To ensure v2.0 tokens are issued for your application, set accessTokenAcceptedVersion to 2 in the app manifest:
- Go to Azure Portal → App Registrations → your app → Manifest
- Find the
"accessTokenAcceptedVersion"field - Change
nullto2and save
JWT Verify credential configuration for Azure AD (v2.0)
With accessTokenAcceptedVersion: 2 set and using your own app scope, configure the credential as follows:
| Field | Value |
|---|---|
| JWKS URI | https://login.microsoftonline.com/<tenant-id>/discovery/v2.0/keys |
| Issuer | https://login.microsoftonline.com/<tenant-id>/v2.0 |
| Audience | <your-client-id> (e.g. e9a62ab1-770f-46da-b297-a218e1597b3f) |
| Algorithms | RS256 |
The resulting token will have aud set to your client ID and an iss matching the v2.0 format — both verifiable by JWT Verify using standard JWKS.
Basic Auth
Username and password authentication using HTTP Basic Auth.
Available for: Proxy and Target credentials
Example usage:
GET /api/resource HTTP/1.1
Authorization: Basic base64(username:password)OAuth2
Full OAuth2 authentication flow support.
Available for: Target credentials only
Supported flows:
- Authorization Code
- Client Credentials
- (More flows in development)
For OAuth2 targets using the authorization_code flow, use this callback URL: https://api.requestrocket.com/webhooks/oauth2
Custom
Custom authentication with configurable headers.
Available for: Target credentials only
Use case: For APIs that require custom authentication headers or non-standard authentication patterns.
Configuration:
- Additional headers
- Additional query parameters
- Additional body data
Custom Token
Dynamic token fetching from an authentication endpoint, with automatic token refresh and expiration management.
Available for: Target credentials only
Use case: For APIs that require you to fetch a token from a separate authentication endpoint before making requests. RequestRocket will automatically fetch, cache, and refresh the token as needed.
Configuration:
Token Request Configuration
Configure how to fetch the token:
- Token URL: The endpoint to fetch the authentication token from
- HTTP Method: GET or POST
- Token Request Headers: Headers to include in the token request (JSON format)
- Token Request Query Params: Query parameters for the token request (JSON format)
- Token Request Body: Body data for POST requests (JSON format)
Token Extraction Configuration
Configure how to extract the token from the response:
- Token Path: JSON path to the token (e.g.,
access_tokenordata.token) - Expiry Method: How the expiry is formatted:
expires_in- seconds from nowexpires_in_ms- milliseconds from nowexpires_at- Unix timestampexpires_at_iso- ISO 8601 date string (coming soon)
- Token Expiry Path: JSON path to the expiry value (optional)
Token Application Configuration
Configure how to apply the token to target API requests:
- Key Name: Header or query parameter name (e.g.,
Authorization,api_key) - Add to Header or Query Param: Toggle between adding to headers or query parameters
- Prefix: Optional prefix for the token value (e.g.,
BearerforBearer {token})
Additional Request Fields (Optional)
These fields will be appended to every target API request:
- Additional Headers: Extra headers to add to target requests (JSON format)
- Additional Query Params: Extra query params to add to target requests (JSON format)
- Additional Body Data: Extra body data to add to target requests (POST/PUT/PATCH only, JSON format)
The test endpoint feature in the UI allows you to verify your token configuration and see the extracted token and expiry values before saving.
Testing Target Credentials
Before saving a target credential, you can send a live test request to verify it works correctly. The credential is applied to the request exactly as it would be when RequestRocket proxies real traffic — letting you catch configuration mistakes before they affect production.
Credential testing is available for API Key, Bearer, JWT, Basic Auth, Custom, and None credential types. OAuth2 uses its own interactive consent flow, and Custom Token has a dedicated token endpoint tester within its configuration form.
How to Test
When creating a new target credential, expand the Test Credential card that appears below the Secret section. Configure your test request and click Test Credential.
Choose a URL
Select how to specify the request URL:
Select Target — pick an existing target from the dropdown. The path field is pre-populated with that target's configured Test Path. You can edit the path for this test run without changing the saved value.
Full URL — enter a complete URL (including path) directly, without selecting a target. Useful for testing against a specific endpoint before a target has been created.
Configure the Request
- HTTP Method:
GETorPOST - Additional Request Headers (optional): Extra headers to include alongside the credential headers, in JSON format
- Additional Query Parameters (optional): Extra query params to append, in JSON format
- Request Body (optional, POST only): JSON body to send with the request
The credential headers are always applied — you cannot override them via the additional fields. For example, if the credential sets Authorization, that value cannot be replaced by an additional header with the same key.
Run the Test
Click Test Credential. The status is shown inline:
- A green check and HTTP status code indicate the request succeeded (2xx–3xx)
- A red cross with status code indicates an error response from the target
Click View Response to inspect the full response headers and body.
What Gets Applied
The credential is converted to request headers and/or query parameters before the test request is sent:
| Auth Type | Applied as |
|---|---|
API Key (addToHeader: true) | Header [key]: [prefix] [value] |
API Key (addToHeader: false) | Query parameter [key]=[value] |
| Bearer | Authorization: [prefix] [token] |
| JWT | Authorization: [prefix] [token] |
| Basic Auth | Authorization: Basic [base64(user:pass)] |
| Custom | additionalHeaders and additionalQueryParams from the secret |
| None | No credential headers — request is unauthenticated |
Any additionalHeaders and additionalQueryParams configured on the credential secret are also merged into the test request.
Important Notes
Regional Constraints
Credentials are constrained to the region in which they are created. If you need to deploy proxies in multiple regions, you'll need to create credentials in each region.
All components of a proxy must be in the same region: proxy credential, target credential, target, and proxy itself.
Credential Management
- Viewing Secrets: Credentials secrets cannot be viewed after creation for security reasons
- Editing: You can edit credential metadata (name, notes) but not the secret values
- Deletion: Deleting a credential will also delete any associated proxy definitions since they are linked to the credential
- Multiple Credentials: You can create multiple credentials of each type
If you want to delete a credential, but keep a proxy that is using it, replace the credential on the proxy before deleting the credential.
Security Features
All credential secrets are:
- Encrypted using AES-256-GCM before storage
- Never transmitted or logged in plaintext
- Securely deleted when credentials are removed
Troubleshooting
Authentication Failures
Issue: Receiving proxy-access-denied in response headers
Solution: Verify that:
- You're using the correct proxy credential
- The credential format matches the expected auth type
- The credential hasn't been deleted or disabled
Target Authentication Failures
Issue: Receiving proxy-access-granted but still getting 401/403 errors
Solution: The issue is with the target credential:
- Use the Test Credential feature when creating a new credential to verify it works before saving
- Verify the target credential is configured correctly
- Check that the target API credentials haven't expired
- Ensure the target credential has necessary permissions