Initial plan

Http response events (#326 )
Immediate cancellation
2026-05-21 07:07:16 +02:00 · 2025-12-22 18:54:12 +00:00 · 2025-12-21 14:34:37 -08:00 · 2025-12-21 06:28:36 -08:00 · 2025-12-21 06:24:01 -08:00 · 2025-12-20 14:48:23 -08:00
760 changed files with 39955 additions and 18500 deletions
@@ -1,6 +0,0 @@
-node_modules/
-dist/
-.eslintrc.cjs
-.prettierrc.cjs
-src-web/postcss.config.cjs
-src-web/vite.config.ts
@@ -1,49 +0,0 @@
-module.exports = {
-  extends: [
-    'eslint:recommended',
-    'plugin:react/recommended',
-    'plugin:react-hooks/recommended',
-    'plugin:import/recommended',
-    'plugin:jsx-a11y/recommended',
-    'plugin:@typescript-eslint/recommended',
-    'eslint-config-prettier',
-  ],
-  plugins: ['react-refresh'],
-  parser: '@typescript-eslint/parser',
-  parserOptions: {
-    project: ['./tsconfig.json'],
-  },
-  ignorePatterns: [
-    'scripts/**/*',
-    'packages/plugin-runtime/**/*',
-    'packages/plugin-runtime-types/**/*',
-    'src-tauri/**/*',
-    'src-web/tailwind.config.cjs',
-    'src-web/vite.config.ts',
-  ],
-  settings: {
-    react: {
-      version: 'detect',
-    },
-    'import/resolver': {
-      node: {
-        paths: ['src-web'],
-        extensions: ['.ts', '.tsx'],
-      },
-    },
-  },
-  rules: {
-    'react-refresh/only-export-components': 'error',
-    'jsx-a11y/no-autofocus': 'off',
-    'react/react-in-jsx-scope': 'off',
-    'import/no-unresolved': 'off',
-    '@typescript-eslint/consistent-type-imports': [
-      'error',
-      {
-        prefer: 'type-imports',
-        disallowTypeAnnotations: true,
-        fixStyle: 'separate-type-imports',
-      },
-    ],
-  },
-};
@@ -1,2 +1,5 @@
 src-tauri/vendored/**/* linguist-generated=true
 src-tauri/gen/schemas/**/* linguist-generated=true
+
+# Ensure consistent line endings for test files that check exact content
+src-tauri/yaak-http/tests/test.txt text eol=lf
@@ -1,15 +1,3 @@
 # These are supported funding model platforms

 github: gschier
-patreon: # Replace with a single Patreon username
-open_collective: # Replace with a single Open Collective username
-ko_fi: # Replace with a single Ko-fi username
-tidelift: # Replace with a single Tidelift platform-name/package-name e.g., npm/babel
-community_bridge: # Replace with a single Community Bridge project-name e.g., cloud-foundry
-liberapay: # Replace with a single Liberapay username
-issuehunt: # Replace with a single IssueHunt username
-lfx_crowdfunding: # Replace with a single LFX Crowdfunding project-name e.g., cloud-foundry
-polar: # Replace with a single Polar username
-buy_me_a_coffee: # Replace with a single Buy Me a Coffee username
-thanks_dev: # Replace with a single thanks.dev username
-custom: https://yaak.app/pricing
@@ -1,18 +0,0 @@
-on:
-  pull_request:
-    branches: [develop]
-
-name: CI (JS)
-
-jobs:
-  test:
-    name: Lint/Test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - uses: actions/setup-node@v4
-        with:
-          node-version: 20
-      - run: npm ci
-      - run: npm run lint
-      - run: npm test
@@ -1,36 +0,0 @@
-on:
-  pull_request:
-    branches: [develop]
-    paths:
-      - src-tauri/**
-      - .github/workflows/**
-
-name: CI (Rust)
-
-defaults:
-  run:
-    working-directory: src-tauri
-
-jobs:
-  test:
-    name: Check/Test
-    runs-on: ubuntu-latest
-    steps:
-      - uses: actions/checkout@v4
-      - run: |
-          sudo apt-get update
-          sudo apt-get install -y libwebkit2gtk-4.1-dev
-      - uses: dtolnay/rust-toolchain@stable
-      - uses: actions/cache@v3
-        continue-on-error: false
-        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-cargo-
-      - run: cargo check --all
-      - run: cargo test --all
@@ -0,0 +1,31 @@
+on:
+  pull_request:
+  push:
+    branches:
+      - main
+
+name: Lint and Test
+permissions:
+  contents: read
+
+jobs:
+  test:
+    name: Lint/Test
+    runs-on: macos-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-node@v4
+      - uses: dtolnay/rust-toolchain@stable
+      - uses: Swatinem/rust-cache@v2
+        with:
+          workspaces: 'src-tauri'
+          shared-key: ci
+          cache-on-failure: true
+
+      - run: npm ci
+      - run: npm run lint
+      - name: Run JS Tests
+        run: npm test
+      - name: Run Rust Tests
+        run: cargo test --all
+        working-directory: src-tauri
@@ -16,15 +16,34 @@ jobs:
          - platform: 'macos-latest' # for Arm-based Macs (M1 and above).
            args: '--target aarch64-apple-darwin'
            yaak_arch: 'arm64'
+            os: 'macos'
+            targets: 'aarch64-apple-darwin'
          - platform: 'macos-latest' # for Intel-based Macs.
            args: '--target x86_64-apple-darwin'
            yaak_arch: 'x64'
+            os: 'macos'
+            targets: 'x86_64-apple-darwin'
          - platform: 'ubuntu-22.04'
            args: ''
            yaak_arch: 'x64'
+            os: 'ubuntu'
+            targets: ''
+          - platform: 'ubuntu-22.04-arm'
+            args: ''
+            yaak_arch: 'arm64'
+            os: 'ubuntu'
+            targets: ''
          - platform: 'windows-latest'
            args: ''
            yaak_arch: 'x64'
+            os: 'windows'
+            targets: ''
+          # Windows ARM64
+          - platform: 'windows-latest'
+            args: '--target aarch64-pc-windows-msvc'
+            yaak_arch: 'arm64'
+            os: 'windows'
+            targets: 'aarch64-pc-windows-msvc'
    runs-on: ${{ matrix.platform }}
    timeout-minutes: 40
    steps:
@@ -33,50 +52,49 @@ jobs:

      - name: Setup Node
        uses: actions/setup-node@v4
-        with:
-          node-version: 22

      - name: install Rust stable
        uses: dtolnay/rust-toolchain@stable
        with:
-          # Those targets are only used on macos runners so it's in an `if` to slightly speed up windows and linux builds.
-          targets: ${{ matrix.platform == 'macos-latest' && 'aarch64-apple-darwin,x86_64-apple-darwin' || '' }}
+          targets: ${{ matrix.targets }}

-      - uses: actions/cache@v3
-        continue-on-error: false
+      - uses: Swatinem/rust-cache@v2
        with:
-          path: |
-            ~/.cargo/bin/
-            ~/.cargo/registry/index/
-            ~/.cargo/registry/cache/
-            ~/.cargo/git/db/
-            src-tauri/target/
-          key: ${{ runner.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
-          restore-keys: ${{ runner.os }}-cargo-
+          workspaces: 'src-tauri'
+          shared-key: ci
+          cache-on-failure: true

-      - name: install dependencies (ubuntu only)
-        if: matrix.platform == 'ubuntu-22.04' # This must match the platform value defined above.
+      - name: install dependencies (Linux only)
+        if: matrix.os == 'ubuntu'
        run: |
          sudo apt-get update
-          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf
-
-      - name: install dependencies (windows only)
-        if: matrix.platform == 'windows-latest'
-        run: cargo install --force trusted-signing-cli --version 0.5.0
-
-      - name: Install NPM Dependencies
-        run: npm ci
+          sudo apt-get install -y libwebkit2gtk-4.1-dev libappindicator3-dev librsvg2-dev patchelf xdg-utils

      - name: Install Protoc for plugin-runtime
        uses: arduino/setup-protoc@v3
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}

-      - name: Run JS build
-        run: npm run build
+      - name: Install trusted-signing-cli (Windows only)
+        if: matrix.os == 'windows'
+        shell: pwsh
+        run: |
+          $ErrorActionPreference = 'Stop'
+          $dir = "$env:USERPROFILE\trusted-signing"
+          New-Item -ItemType Directory -Force -Path $dir | Out-Null
+          $url = "https://github.com/Levminer/trusted-signing-cli/releases/download/0.8.0/trusted-signing-cli.exe"
+          $exe = Join-Path $dir "trusted-signing-cli.exe"
+          Invoke-WebRequest -Uri $url -OutFile $exe
+          echo $dir >> $env:GITHUB_PATH
+          & $exe --version

-      - name: Run lint
-        run: npm run lint
+      - run: npm ci
+      - run: npm run lint
+      - name: Run JS Tests
+        run: npm test
+      - name: Run Rust Tests
+        run: cargo test --all
+        working-directory: src-tauri

      - name: Set version
        run: npm run replace-version
@@ -93,21 +111,21 @@ jobs:
          TAURI_SIGNING_PRIVATE_KEY_PASSWORD: ${{ secrets.TAURI_KEY_PASSWORD }}

          # Apple signing stuff
-          APPLE_CERTIFICATE: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_CERTIFICATE }}
-          APPLE_CERTIFICATE_PASSWORD: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_CERTIFICATE_PASSWORD }}
-          APPLE_ID: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_ID }}
-          APPLE_PASSWORD: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_PASSWORD }}
-          APPLE_SIGNING_IDENTITY: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_SIGNING_IDENTITY }}
-          APPLE_TEAM_ID: ${{ matrix.platform == 'macos-latest' && secrets.APPLE_TEAM_ID }}
+          APPLE_CERTIFICATE: ${{ matrix.os == 'macos' && secrets.APPLE_CERTIFICATE }}
+          APPLE_CERTIFICATE_PASSWORD: ${{ matrix.os == 'macos' && secrets.APPLE_CERTIFICATE_PASSWORD }}
+          APPLE_ID: ${{ matrix.os == 'macos' && secrets.APPLE_ID }}
+          APPLE_PASSWORD: ${{ matrix.os == 'macos' && secrets.APPLE_PASSWORD }}
+          APPLE_SIGNING_IDENTITY: ${{ matrix.os == 'macos' && secrets.APPLE_SIGNING_IDENTITY }}
+          APPLE_TEAM_ID: ${{ matrix.os == 'macos' && secrets.APPLE_TEAM_ID }}

          # Windows signing stuff
-          AZURE_CLIENT_ID: ${{ matrix.platform == 'windows-latest' && secrets.AZURE_CLIENT_ID }}
-          AZURE_CLIENT_SECRET: ${{ matrix.platform == 'windows-latest' && secrets.AZURE_CLIENT_SECRET }}
-          AZURE_TENANT_ID: ${{ matrix.platform == 'windows-latest' && secrets.AZURE_TENANT_ID }}
+          AZURE_CLIENT_ID: ${{ matrix.os == 'windows' && secrets.AZURE_CLIENT_ID }}
+          AZURE_CLIENT_SECRET: ${{ matrix.os == 'windows' && secrets.AZURE_CLIENT_SECRET }}
+          AZURE_TENANT_ID: ${{ matrix.os == 'windows' && secrets.AZURE_TENANT_ID }}
        with:
          tagName: 'v__VERSION__'
          releaseName: 'Release __VERSION__'
          releaseBody: '[Changelog __VERSION__](https://yaak.app/blog/__VERSION__)'
          releaseDraft: true
-          prerelease: false
-          args: ${{ matrix.args }}
+          prerelease: true
+          args: '${{ matrix.args }} --config ./src-tauri/tauri.release.conf.json'
@@ -0,0 +1,44 @@
+name: Generate Sponsors README
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 30 15 * * 0-6
+permissions:
+  contents: write
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v2
+
+      - name: Generate Sponsors
+        uses: JamesIves/github-sponsors-readme-action@v1
+        with:
+          token: ${{ secrets.SPONSORS_PAT }}
+          file: 'README.md'
+          maximum: 1999
+          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="50px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
+          active-only: false
+          include-private: true
+          marker: 'sponsors-base'
+
+      - name: Generate Sponsors
+        uses: JamesIves/github-sponsors-readme-action@v1
+        with:
+          token: ${{ secrets.SPONSORS_PAT }}
+          file: 'README.md'
+          minimum: 2000
+          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="80px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
+          active-only: false
+          include-private: true
+          marker: 'sponsors-premium'
+
+      # ⚠️ Note: You can use any deployment step here to automatically push the README
+      # changes back to your branch.
+      - name: Commit Changes
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          branch: main
+          force: false
+          folder: '.'
@@ -15,6 +15,8 @@ dist-ssr
 # Editor directories and files
 .vscode/*
 !.vscode/extensions.json
+!.vscode/settings.json
+!.vscode/launch.json
 .idea
 .DS_Store
 *.suo
@@ -23,6 +25,7 @@ dist-ssr
 *.sln
 *.sw?
 .eslintcache
+out

 *.sqlite
 *.sqlite-*
@@ -31,3 +34,5 @@ dist-ssr

 .tmp
 tmp
+.zed
+codebook.toml
@@ -1,4 +0,0 @@
-node_modules/
-dist/
-out/
-.prettierrc.cjs
@@ -1,8 +0,0 @@
-export default {
-  "trailingComma": "all",
-  "tabWidth": 2,
-  "semi": true,
-  "singleQuote": true,
-  "printWidth": 100,
-  "bracketSpacing": true
-}
@@ -0,0 +1,3 @@
+{
+  "recommendations": ["biomejs.biome", "rust-lang.rust-analyzer", "bradlc.vscode-tailwindcss"]
+}
@@ -0,0 +1,26 @@
+{
+  "version": "0.2.0",
+  "configurations": [
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Dev App",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": ["run", "start"]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Build App",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": ["run", "start"]
+    },
+    {
+      "type": "node",
+      "request": "launch",
+      "name": "Bootstrap",
+      "runtimeExecutable": "npm",
+      "runtimeArgs": ["run", "bootstrap"]
+    }
+  ]
+}
@@ -0,0 +1,6 @@
+{
+  "editor.defaultFormatter": "biomejs.biome",
+  "editor.formatOnSave": true,
+  "biome.enabled": true,
+  "biome.lint.format.enable": true
+}
@@ -50,15 +50,39 @@ New migrations can be created from the `src-tauri/` directory:
 npm run migration
 ```

-Run the app to apply the migrations. 
+Rerun the app to apply the migrations. 

-If nothing happens, try `cargo clean` and run the app again.
+_Note: For safety, development builds use a separate database location from production builds._

-_Note: Development builds use a separate database location from production builds._
-
-## Lezer Grammer Generation
+## Lezer Grammar Generation

 ```sh
 # Example
 lezer-generator components/core/Editor/<LANG>/<LANG>.grammar > components/core/Editor/<LANG>/<LANG>.ts
 ```
+
+## Linting & Formatting
+
+This repo uses Biome for linting and formatting (replacing ESLint + Prettier).
+
+- Lint the entire repo:
+
+```sh
+npm run lint
+```
+
+- Auto-fix lint issues where possible:
+
+```sh
+npm run lint:fix
+```
+
+- Format code:
+
+```sh
+npm run format
+```
+
+Notes:
+- Many workspace packages also expose the same scripts (`lint`, `lint:fix`, and `format`).
+- TypeScript type-checking still runs separately via `tsc --noEmit` in relevant packages.
@@ -1,34 +1,70 @@
-# Yaak API Client
+<p align="center">
+  <a href="https://github.com/JamesIves/github-sponsors-readme-action">
+    <img width="200px" src="https://github.com/mountain-loop/yaak/raw/main/src-tauri/icons/icon.png">
+  </a>
+</p>

-Yaak is a desktop API client for interacting with REST, GraphQL, Server Sent Events (SSE), WebSocket, and gRPC
-APIs. It's built using [Tauri](https://tauri.app), Rust, and ReactJS.
+<h1 align="center">
+  💫 Yaak ➟ Desktop API Client 💫
+</h1>
+
+<p align="center">
+    A fast, privacy-first API client for REST, GraphQL, SSE, WebSocket, and gRPC – built with Tauri, Rust, and React.
+</p>
+<p align="center">
+ Development is funded by community-purchased <a href="https://yaak.app/pricing">licenses</a>. You can also <a href="https://github.com/sponsors/gschier">become a sponsor</a> to have your logo appear below. 💖
+</p>
+<br>
+
+
+
+<p align="center">
+  <!-- sponsors-premium --><a href="https://github.com/MVST-Solutions"><img src="https:&#x2F;&#x2F;github.com&#x2F;MVST-Solutions.png" width="80px" alt="User avatar: MVST-Solutions" /></a>&nbsp;&nbsp;<a href="https://github.com/dharsanb"><img src="https:&#x2F;&#x2F;github.com&#x2F;dharsanb.png" width="80px" alt="User avatar: dharsanb" /></a>&nbsp;&nbsp;<a href="https://github.com/railwayapp"><img src="https:&#x2F;&#x2F;github.com&#x2F;railwayapp.png" width="80px" alt="User avatar: railwayapp" /></a>&nbsp;&nbsp;<a href="https://github.com/caseyamcl"><img src="https:&#x2F;&#x2F;github.com&#x2F;caseyamcl.png" width="80px" alt="User avatar: caseyamcl" /></a>&nbsp;&nbsp;<a href="https://github.com/"><img src="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;JamesIves&#x2F;github-sponsors-readme-action&#x2F;dev&#x2F;.github&#x2F;assets&#x2F;placeholder.png" width="80px" alt="User avatar: " /></a>&nbsp;&nbsp;<!-- sponsors-premium -->
+</p>
+<p align="center">
+  <!-- sponsors-base --><a href="https://github.com/seanwash"><img src="https:&#x2F;&#x2F;github.com&#x2F;seanwash.png" width="50px" alt="User avatar: seanwash" /></a>&nbsp;&nbsp;<a href="https://github.com/jerath"><img src="https:&#x2F;&#x2F;github.com&#x2F;jerath.png" width="50px" alt="User avatar: jerath" /></a>&nbsp;&nbsp;<a href="https://github.com/itsa-sh"><img src="https:&#x2F;&#x2F;github.com&#x2F;itsa-sh.png" width="50px" alt="User avatar: itsa-sh" /></a>&nbsp;&nbsp;<a href="https://github.com/dmmulroy"><img src="https:&#x2F;&#x2F;github.com&#x2F;dmmulroy.png" width="50px" alt="User avatar: dmmulroy" /></a>&nbsp;&nbsp;<a href="https://github.com/timcole"><img src="https:&#x2F;&#x2F;github.com&#x2F;timcole.png" width="50px" alt="User avatar: timcole" /></a>&nbsp;&nbsp;<a href="https://github.com/VLZH"><img src="https:&#x2F;&#x2F;github.com&#x2F;VLZH.png" width="50px" alt="User avatar: VLZH" /></a>&nbsp;&nbsp;<a href="https://github.com/terasaka2k"><img src="https:&#x2F;&#x2F;github.com&#x2F;terasaka2k.png" width="50px" alt="User avatar: terasaka2k" /></a>&nbsp;&nbsp;<a href="https://github.com/andriyor"><img src="https:&#x2F;&#x2F;github.com&#x2F;andriyor.png" width="50px" alt="User avatar: andriyor" /></a>&nbsp;&nbsp;<a href="https://github.com/majudhu"><img src="https:&#x2F;&#x2F;github.com&#x2F;majudhu.png" width="50px" alt="User avatar: majudhu" /></a>&nbsp;&nbsp;<a href="https://github.com/axelrindle"><img src="https:&#x2F;&#x2F;github.com&#x2F;axelrindle.png" width="50px" alt="User avatar: axelrindle" /></a>&nbsp;&nbsp;<a href="https://github.com/jirizverina"><img src="https:&#x2F;&#x2F;github.com&#x2F;jirizverina.png" width="50px" alt="User avatar: jirizverina" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="50px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<a href="https://github.com/GRAYAH"><img src="https:&#x2F;&#x2F;github.com&#x2F;GRAYAH.png" width="50px" alt="User avatar: GRAYAH" /></a>&nbsp;&nbsp;<!-- sponsors-base -->
+</p>
+
+![Yaak API Client](https://yaak.app/static/screenshot.png)
+
+
+## Features
+
+Yaak is an offline-first API client designed to stay out of your way while giving you everything you need when you need it. 
+Built with [Tauri](https://tauri.app), Rust, and React, it’s fast, lightweight, and private. No telemetry, no VC funding, and no cloud lock-in.  
+
+
+### 🌐 Work with any API
+
+- Import collections from Postman, Insomnia, OpenAPI, Swagger, or Curl.
+- Send requests via REST, GraphQL, gRPC, WebSocket, or Server-Sent Events.
+- Filter and inspect responses with JSONPath or XPath.
+
+### 🔐 Stay secure
+- Use OAuth 2.0, JWT, Basic Auth, or custom plugins for authentication.
+- Secure sensitive values with encrypted secrets. 
+- Store secrets in your OS keychain.
+
+### ☁️ Organize & collaborate
+- Group requests into workspaces and nested folders.
+- Use environment variables to switch between dev, staging, and prod.
+- Mirror workspaces to your filesystem for versioning in Git or syncing with Dropbox.
+
+### 🧩 Extend & customize
+- Insert dynamic values like UUIDs or timestamps with template tags.
+- Pick from built-in themes or build your own.
+- Create plugins to extend authentication, template tags, or the UI.

-![366149288-f18e963f-0b68-4ecb-b8b8-cb71aa9aec02](https://github.com/user-attachments/assets/ca83b7ad-5708-411b-8faf-e36b365841a4)

 ## Contribution Policy

-Yaak is open source, but only accepting contributions for bug fixes. To get started, 
+Yaak is open source but only accepting contributions for bug fixes. To get started, 
 visit [`DEVELOPMENT.md`](DEVELOPMENT.md) for tips on setting up your environment.

-## Feature Overview
-
- 🪂 Import data from Postman, Insomnia, OpenAPI, Swagger, or Curl.<br/>
- 📤 Send requests via REST, GraphQL, Server Sent Events (SSE), WebSockets, or gRPC.<br/>
- 🔐 Automatically authorize requests with OAuth 2.0, JWT tokens, Basic Auth, and more.<br/>
- 🔎 Filter response bodies using JSONPath or XPath queries.<br/>
- ⛓️ Chain together multiple requests to dynamically reference values.<br/>
- 📂 Organize requests into workspaces and nested folders.<br/>
- 🧮 Use environment variables to easily switch between Prod and Dev.<br/>
- 🛡️ Secure arbitrary text values with end-to-end encryption<br/>
- 🏷️ Send dynamic values like UUIDs or timestamps using template tags.<br/>
- 🎨 Choose from many of the included themes, or make your own.<br/>
- 💽 Mirror workspace data to a directory for integration with Git or Dropbox.<br/>
- 📜 View response history for each request.<br/>
- 🔌 Create your own plugins for authentication, template tags, and more!<br/>
- 🛜 Configure a proxy to access firewall-blocked APIs
-
 ## Useful Resources

 - [Feedback and Bug Reports](https://feedback.yaak.app)
 - [Documentation](https://feedback.yaak.app/help)
- [Yaak vs Postman](https://yaak.app/blog/postman-alternative)
+- [Yaak vs Postman](https://yaak.app/alternatives/postman)
+- [Yaak vs Bruno](https://yaak.app/alternatives/bruno)
+- [Yaak vs Insomnia](https://yaak.app/alternatives/insomnia)
@@ -0,0 +1,51 @@
+{
+  "$schema": "https://biomejs.dev/schemas/2.3.7/schema.json",
+  "linter": {
+    "enabled": true,
+    "rules": {
+      "recommended": true,
+      "a11y": {
+        "useKeyWithClickEvents": "off"
+      }
+    }
+  },
+  "formatter": {
+    "enabled": true,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineWidth": 100,
+    "bracketSpacing": true
+  },
+  "css": {
+    "parser": {
+      "tailwindDirectives": true
+    },
+    "linter": {
+      "enabled": false
+    }
+  },
+  "javascript": {
+    "formatter": {
+      "quoteStyle": "single",
+      "jsxQuoteStyle": "double",
+      "trailingCommas": "all",
+      "semicolons": "always"
+    }
+  },
+  "files": {
+    "includes": [
+      "**",
+      "!**/node_modules",
+      "!**/dist",
+      "!**/build",
+      "!scripts",
+      "!packages/plugin-runtime",
+      "!packages/plugin-runtime-types",
+      "!src-tauri",
+      "!src-web/tailwind.config.cjs",
+      "!src-web/postcss.config.cjs",
+      "!src-web/vite.config.ts",
+      "!src-web/routeTree.gen.ts"
+    ]
+  }
+}
@@ -7,33 +7,46 @@
    "url": "git+https://github.com/mountain-loop/yaak.git"
  },
  "workspaces": [
+    "packages/common-lib",
    "packages/plugin-runtime",
    "packages/plugin-runtime-types",
-    "packages/common-lib",
+    "plugins/action-copy-curl",
+    "plugins/action-copy-grpcurl",
+    "plugins/auth-apikey",
+    "plugins/auth-aws",
    "plugins/auth-basic",
    "plugins/auth-bearer",
    "plugins/auth-jwt",
+    "plugins/auth-ntlm",
    "plugins/auth-oauth2",
-    "plugins/exporter-curl",
+    "plugins/auth-oauth1",
    "plugins/filter-jsonpath",
    "plugins/filter-xpath",
    "plugins/importer-curl",
    "plugins/importer-insomnia",
    "plugins/importer-openapi",
    "plugins/importer-postman",
+    "plugins/importer-postman-environment",
    "plugins/importer-yaak",
+    "plugins/template-function-1password",
    "plugins/template-function-cookie",
+    "plugins/template-function-ctx",
    "plugins/template-function-encode",
    "plugins/template-function-fs",
    "plugins/template-function-hash",
    "plugins/template-function-json",
    "plugins/template-function-prompt",
+    "plugins/template-function-random",
    "plugins/template-function-regex",
-    "plugins/template-function-request",
-    "plugins/template-function-response",
+    "plugins/template-function-timestamp",
    "plugins/template-function-uuid",
    "plugins/template-function-xml",
+    "plugins/template-function-request",
+    "plugins/template-function-response",
+    "plugins/themes-yaak",
+    "src-tauri",
    "src-tauri/yaak-crypto",
+    "src-tauri/yaak-fonts",
    "src-tauri/yaak-git",
    "src-tauri/yaak-license",
    "src-tauri/yaak-mac-window",
@@ -48,38 +61,39 @@
  "scripts": {
    "start": "npm run app-dev",
    "app-build": "tauri build",
-    "app-dev": "tauri dev --no-watch --config ./src-tauri/tauri-dev.conf.json",
+    "app-dev": "tauri dev --no-watch --config ./src-tauri/tauri.development.conf.json",
    "migration": "node scripts/create-migration.cjs",
    "build": "npm run --workspaces --if-present build",
    "build-plugins": "npm run --workspaces --if-present build",
-    "bootstrap": "run-p bootstrap:* && npm run --workspaces --if-present bootstrap",
-    "bootstrap:vendor-node": "node scripts/vendor-node.cjs",
-    "bootstrap:vendor-plugins": "node scripts/vendor-plugins.cjs",
-    "bootstrap:vendor-protoc": "node scripts/vendor-protoc.cjs",
-    "lint": "npm run --workspaces --if-present lint",
+    "test": "npm run --workspaces --if-present test",
+    "icons": "run-p icons:*",
+    "icons:dev": "tauri icon src-tauri/icons/icon-dev.png --output src-tauri/icons/dev",
+    "icons:release": "tauri icon src-tauri/icons/icon.png --output src-tauri/icons/release",
+    "bootstrap": "run-s bootstrap:*",
+    "bootstrap:install-wasm-pack": "node scripts/install-wasm-pack.cjs",
+    "bootstrap:build": "npm run build",
+    "bootstrap:vendor": "npm run vendor",
+    "vendor": "run-p vendor:*",
+    "vendor:vendor-plugins": "node scripts/vendor-plugins.cjs",
+    "vendor:vendor-protoc": "node scripts/vendor-protoc.cjs",
+    "vendor:vendor-node": "node scripts/vendor-node.cjs",
+    "lint": "run-p lint:*",
+    "lint:biome": "biome lint",
+    "lint:extra": "npm run --workspaces --if-present lint",
+    "format": "biome format --write .",
    "replace-version": "node scripts/replace-version.cjs",
    "tauri": "tauri",
-    "tauri-before-build": "npm run bootstrap && npm run --workspaces --if-present build",
+    "tauri-before-build": "npm run bootstrap",
    "tauri-before-dev": "workspaces-run --parallel -- npm run --workspaces --if-present dev"
  },
-  "dependencies": {
-    "jotai": "^2.12.2"
-  },
  "devDependencies": {
-    "@tauri-apps/cli": "2.4.1",
-    "@typescript-eslint/eslint-plugin": "^8.27.0",
-    "@typescript-eslint/parser": "^8.27.0",
-    "@yaakapp/cli": "^0.1.5",
-    "eslint": "^8",
-    "eslint-config-prettier": "^8",
-    "eslint-plugin-import": "^2.31.0",
-    "eslint-plugin-jsx-a11y": "^6.10.2",
-    "eslint-plugin-react": "^7.37.2",
-    "eslint-plugin-react-hooks": "^5.1.0",
+    "@biomejs/biome": "^2.3.7",
+    "@tauri-apps/cli": "^2.9.6",
+    "@yaakapp/cli": "^0.3.4",
    "nodejs-file-downloader": "^4.13.0",
    "npm-run-all": "^4.1.5",
-    "prettier": "^3.4.2",
    "typescript": "^5.8.3",
+    "vitest": "^3.2.4",
    "workspaces-run": "^1.0.2"
  }
 }
@@ -1,12 +1,12 @@
-// eslint-disable-next-line @typescript-eslint/no-explicit-any
+// biome-ignore lint/suspicious/noExplicitAny: none
 export function debounce(fn: (...args: any[]) => void, delay = 500) {
  let timer: ReturnType<typeof setTimeout>;
-  // eslint-disable-next-line @typescript-eslint/no-explicit-any
-  const result = function (...args: any[]) {
+  // biome-ignore lint/suspicious/noExplicitAny: none
+  const result = (...args: any[]) => {
    clearTimeout(timer);
    timer = setTimeout(() => fn(...args), delay);
  };
-  result.cancel = function () {
+  result.cancel = () => {
    clearTimeout(timer);
  };
  return result;
@@ -1,20 +1,20 @@
 export function formatSize(bytes: number): string {
-    let num;
-    let unit;
+  let num: number;
+  let unit: string;

-    if (bytes > 1000 * 1000 * 1000) {
-        num = bytes / 1000 / 1000 / 1000;
-        unit = 'GB';
-    } else if (bytes > 1000 * 1000) {
-        num = bytes / 1000 / 1000;
-        unit = 'MB';
-    } else if (bytes > 1000) {
-        num = bytes / 1000;
-        unit = 'KB';
-    } else {
-        num = bytes;
-        unit = 'B';
-    }
+  if (bytes > 1000 * 1000 * 1000) {
+    num = bytes / 1000 / 1000 / 1000;
+    unit = 'GB';
+  } else if (bytes > 1000 * 1000) {
+    num = bytes / 1000 / 1000;
+    unit = 'MB';
+  } else if (bytes > 1000) {
+    num = bytes / 1000;
+    unit = 'KB';
+  } else {
+    num = bytes;
+    unit = 'B';
+  }

-    return `${Math.round(num * 10) / 10} ${unit}`;
+  return `${Math.round(num * 10) / 10} ${unit}`;
 }
@@ -1 +1,3 @@
 export * from './debounce';
+export * from './formatSize';
+export * from './templateFunction';
@@ -0,0 +1,49 @@
+import type {
+  CallTemplateFunctionArgs,
+  JsonPrimitive,
+  TemplateFunctionArg,
+} from '@yaakapp-internal/plugins';
+
+export function validateTemplateFunctionArgs(
+  fnName: string,
+  args: TemplateFunctionArg[],
+  values: CallTemplateFunctionArgs['values'],
+): string | null {
+  for (const arg of args) {
+    if ('inputs' in arg && arg.inputs) {
+      // Recurse down
+      const err = validateTemplateFunctionArgs(fnName, arg.inputs, values);
+      if (err) return err;
+    }
+    if (!('name' in arg)) continue;
+    if (arg.optional) continue;
+    if (arg.defaultValue != null) continue;
+    if (arg.hidden) continue;
+    if (values[arg.name] != null) continue;
+
+    return `Missing required argument "${arg.label || arg.name}" for template function ${fnName}()`;
+  }
+
+  return null;
+}
+
+/** Recursively apply form input defaults to a set of values */
+export function applyFormInputDefaults(
+  inputs: TemplateFunctionArg[],
+  values: { [p: string]: JsonPrimitive | undefined },
+) {
+  let newValues: { [p: string]: JsonPrimitive | undefined } = { ...values };
+  for (const input of inputs) {
+    if ('defaultValue' in input && values[input.name] === undefined) {
+      newValues[input.name] = input.defaultValue;
+    }
+    if (input.type === 'checkbox' && values[input.name] === undefined) {
+      newValues[input.name] = false;
+    }
+    // Recurse down to all child inputs
+    if ('inputs' in input) {
+      newValues = applyFormInputDefaults(input.inputs ?? [], newValues);
+    }
+  }
+  return newValues;
+}
@@ -0,0 +1,28 @@
+# Yaak Plugin API
+
+Yaak is a desktop [API client](https://yaak.app/blog/yet-another-api-client) for
+interacting with REST, GraphQL, Server Sent Events (SSE), WebSocket, and gRPC APIs. It's
+built using Tauri, Rust, and ReactJS.
+
+Plugins can be created in TypeScript, which are executed alongside Yaak in a NodeJS
+runtime. This package contains the TypeScript type definitions required to make building
+Yaak plugins a breeze.
+
+## Quick Start
+
+The easiest way to get started is by generating a plugin with the Yaak CLI:
+
+```shell
+npx @yaakapp/cli generate
+```
+
+For more details on creating plugins, check out
+the [Quick Start Guide](https://feedback.yaak.app/help/articles/6911763-plugins-quick-start)
+
+## Installation
+
+If you prefer starting from scratch, manually install the types package:
+
+```shell
+npm install -D @yaakapp/api
+```
@@ -1,6 +1,20 @@
 {
  "name": "@yaakapp/api",
-  "version": "0.6.0",
+  "version": "0.7.1",
+  "keywords": [
+    "api-client",
+    "insomnia-alternative",
+    "bruno-alternative",
+    "postman-alternative"
+  ],
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak"
+  },
+  "bugs": {
+    "url": "https://feedback.yaak.app"
+  },
+  "homepage": "https://yaak.app",
  "main": "lib/index.js",
  "typings": "./lib/index.d.ts",
  "files": [
@@ -17,7 +31,7 @@
    "prepublishOnly": "npm run build"
  },
  "dependencies": {
-    "@types/node": "^22.5.4"
+    "@types/node": "^24.0.13"
  },
  "devDependencies": {
    "cpy-cli": "^5.0.0"
@@ -0,0 +1,8 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+import type { PluginVersion } from "./gen_search";
+
+export type PluginNameVersion = { name: string, version: string, };
+
+export type PluginSearchResponse = { plugins: Array<PluginVersion>, };
+
+export type PluginUpdatesResponse = { plugins: Array<PluginNameVersion>, };
@@ -1,10 +1,12 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
-import type { Environment, Folder, GrpcRequest, HttpRequest, HttpResponse, WebsocketRequest, Workspace } from "./gen_models.js";
-import type { JsonValue } from "./serde_json/JsonValue.js";
+import type { Environment, Folder, GrpcRequest, HttpRequest, HttpResponse, WebsocketRequest, Workspace } from "./gen_models";
+import type { JsonValue } from "./serde_json/JsonValue";

 export type BootRequest = { dir: string, watch: boolean, };

-export type BootResponse = { name: string, version: string, };
+export type CallGrpcRequestActionArgs = { grpcRequest: GrpcRequest, protoFiles: Array<string>, };
+
+export type CallGrpcRequestActionRequest = { index: number, pluginRefId: string, args: CallGrpcRequestActionArgs, };

 export type CallHttpAuthenticationActionArgs = { contextId: string, values: { [key in string]?: JsonPrimitive }, };

@@ -17,17 +19,22 @@ export type CallHttpAuthenticationResponse = {
 * HTTP headers to add to the request. Existing headers will be replaced, while
 * new headers will be added.
 */
-setHeaders: Array<HttpHeader>, };
+setHeaders?: Array<HttpHeader>, 
+/**
+ * Query parameters to add to the request. Existing params will be replaced, while
+ * new params will be added.
+ */
+setQueryParameters?: Array<HttpHeader>, };

 export type CallHttpRequestActionArgs = { httpRequest: HttpRequest, };

 export type CallHttpRequestActionRequest = { index: number, pluginRefId: string, args: CallHttpRequestActionArgs, };

-export type CallTemplateFunctionArgs = { purpose: RenderPurpose, values: { [key in string]?: JsonValue }, };
+export type CallTemplateFunctionArgs = { purpose: RenderPurpose, values: { [key in string]?: JsonPrimitive }, };

 export type CallTemplateFunctionRequest = { name: string, args: CallTemplateFunctionArgs, };

-export type CallTemplateFunctionResponse = { value: string | null, };
+export type CallTemplateFunctionResponse = { value: string | null, error?: string, };

 export type CloseWindowRequest = { label: string, };

@@ -61,13 +68,13 @@ extensions: Array<string>, };

 export type FilterRequest = { content: string, filter: string, };

-export type FilterResponse = { content: string, };
+export type FilterResponse = { content: string, error?: string, };

 export type FindHttpResponsesRequest = { requestId: string, limit?: number, };

 export type FindHttpResponsesResponse = { httpResponses: Array<HttpResponse>, };

-export type FormInput = { "type": "text" } & FormInputText | { "type": "editor" } & FormInputEditor | { "type": "select" } & FormInputSelect | { "type": "checkbox" } & FormInputCheckbox | { "type": "file" } & FormInputFile | { "type": "http_request" } & FormInputHttpRequest | { "type": "accordion" } & FormInputAccordion | { "type": "banner" } & FormInputBanner | { "type": "markdown" } & FormInputMarkdown;
+export type FormInput = { "type": "text" } & FormInputText | { "type": "editor" } & FormInputEditor | { "type": "select" } & FormInputSelect | { "type": "checkbox" } & FormInputCheckbox | { "type": "file" } & FormInputFile | { "type": "http_request" } & FormInputHttpRequest | { "type": "accordion" } & FormInputAccordion | { "type": "h_stack" } & FormInputHStack | { "type": "banner" } & FormInputBanner | { "type": "markdown" } & FormInputMarkdown;

 export type FormInputAccordion = { label: string, inputs?: Array<FormInput>, hidden?: boolean, };

@@ -217,6 +224,8 @@ defaultValue?: string, disabled?: boolean,
 */
 description?: string, };

+export type FormInputHStack = { inputs?: Array<FormInput>, hidden?: boolean, };
+
 export type FormInputHttpRequest = { 
 /**
 * The name of the input. The value will be stored at this object attribute in the resulting data
@@ -336,14 +345,14 @@ export type GetCookieValueRequest = { name: string, };

 export type GetCookieValueResponse = { value: string | null, };

+export type GetGrpcRequestActionsResponse = { actions: Array<GrpcRequestAction>, pluginRefId: string, };
+
 export type GetHttpAuthenticationConfigRequest = { contextId: string, values: { [key in string]?: JsonPrimitive }, };

 export type GetHttpAuthenticationConfigResponse = { args: Array<FormInput>, pluginRefId: string, actions?: Array<HttpAuthenticationAction>, };

 export type GetHttpAuthenticationSummaryResponse = { name: string, label: string, shortLabel: string, };

-export type GetHttpRequestActionsRequest = Record<string, never>;
-
 export type GetHttpRequestActionsResponse = { actions: Array<HttpRequestAction>, pluginRefId: string, };

 export type GetHttpRequestByIdRequest = { id: string, };
@@ -354,7 +363,17 @@ export type GetKeyValueRequest = { key: string, };

 export type GetKeyValueResponse = { value?: string, };

-export type GetTemplateFunctionsResponse = { functions: Array<TemplateFunction>, pluginRefId: string, };
+export type GetTemplateFunctionConfigRequest = { contextId: string, name: string, values: { [key in string]?: JsonPrimitive }, };
+
+export type GetTemplateFunctionConfigResponse = { function: TemplateFunction, pluginRefId: string, };
+
+export type GetTemplateFunctionSummaryResponse = { functions: Array<TemplateFunction>, pluginRefId: string, };
+
+export type GetThemesRequest = Record<string, never>;
+
+export type GetThemesResponse = { themes: Array<Theme>, };
+
+export type GrpcRequestAction = { label: string, icon?: Icon, };

 export type HttpAuthenticationAction = { label: string, icon?: Icon, };

@@ -370,9 +389,9 @@ export type ImportResources = { workspaces: Array<Workspace>, environments: Arra

 export type ImportResponse = { resources: ImportResources, };

-export type InternalEvent = { id: string, pluginRefId: string, pluginName: string, replyId: string | null, windowContext: PluginWindowContext, payload: InternalEventPayload, };
+export type InternalEvent = { id: string, pluginRefId: string, pluginName: string, replyId: string | null, context: PluginContext, payload: InternalEventPayload, };

-export type InternalEventPayload = { "type": "boot_request" } & BootRequest | { "type": "boot_response" } & BootResponse | { "type": "reload_request" } & EmptyPayload | { "type": "reload_response" } & EmptyPayload | { "type": "terminate_request" } | { "type": "terminate_response" } | { "type": "import_request" } & ImportRequest | { "type": "import_response" } & ImportResponse | { "type": "filter_request" } & FilterRequest | { "type": "filter_response" } & FilterResponse | { "type": "export_http_request_request" } & ExportHttpRequestRequest | { "type": "export_http_request_response" } & ExportHttpRequestResponse | { "type": "send_http_request_request" } & SendHttpRequestRequest | { "type": "send_http_request_response" } & SendHttpRequestResponse | { "type": "list_cookie_names_request" } & ListCookieNamesRequest | { "type": "list_cookie_names_response" } & ListCookieNamesResponse | { "type": "get_cookie_value_request" } & GetCookieValueRequest | { "type": "get_cookie_value_response" } & GetCookieValueResponse | { "type": "get_http_request_actions_request" } & EmptyPayload | { "type": "get_http_request_actions_response" } & GetHttpRequestActionsResponse | { "type": "call_http_request_action_request" } & CallHttpRequestActionRequest | { "type": "get_template_functions_request" } | { "type": "get_template_functions_response" } & GetTemplateFunctionsResponse | { "type": "call_template_function_request" } & CallTemplateFunctionRequest | { "type": "call_template_function_response" } & CallTemplateFunctionResponse | { "type": "get_http_authentication_summary_request" } & EmptyPayload | { "type": "get_http_authentication_summary_response" } & GetHttpAuthenticationSummaryResponse | { "type": "get_http_authentication_config_request" } & GetHttpAuthenticationConfigRequest | { "type": "get_http_authentication_config_response" } & GetHttpAuthenticationConfigResponse | { "type": "call_http_authentication_request" } & CallHttpAuthenticationRequest | { "type": "call_http_authentication_response" } & CallHttpAuthenticationResponse | { "type": "call_http_authentication_action_request" } & CallHttpAuthenticationActionRequest | { "type": "call_http_authentication_action_response" } & EmptyPayload | { "type": "copy_text_request" } & CopyTextRequest | { "type": "copy_text_response" } & EmptyPayload | { "type": "render_http_request_request" } & RenderHttpRequestRequest | { "type": "render_http_request_response" } & RenderHttpRequestResponse | { "type": "get_key_value_request" } & GetKeyValueRequest | { "type": "get_key_value_response" } & GetKeyValueResponse | { "type": "set_key_value_request" } & SetKeyValueRequest | { "type": "set_key_value_response" } & SetKeyValueResponse | { "type": "delete_key_value_request" } & DeleteKeyValueRequest | { "type": "delete_key_value_response" } & DeleteKeyValueResponse | { "type": "open_window_request" } & OpenWindowRequest | { "type": "window_navigate_event" } & WindowNavigateEvent | { "type": "window_close_event" } | { "type": "close_window_request" } & CloseWindowRequest | { "type": "template_render_request" } & TemplateRenderRequest | { "type": "template_render_response" } & TemplateRenderResponse | { "type": "show_toast_request" } & ShowToastRequest | { "type": "show_toast_response" } & EmptyPayload | { "type": "prompt_text_request" } & PromptTextRequest | { "type": "prompt_text_response" } & PromptTextResponse | { "type": "get_http_request_by_id_request" } & GetHttpRequestByIdRequest | { "type": "get_http_request_by_id_response" } & GetHttpRequestByIdResponse | { "type": "find_http_responses_request" } & FindHttpResponsesRequest | { "type": "find_http_responses_response" } & FindHttpResponsesResponse | { "type": "empty_response" } & EmptyPayload | { "type": "error_response" } & ErrorResponse;
+export type InternalEventPayload = { "type": "boot_request" } & BootRequest | { "type": "boot_response" } | { "type": "reload_response" } & ReloadResponse | { "type": "terminate_request" } | { "type": "terminate_response" } | { "type": "import_request" } & ImportRequest | { "type": "import_response" } & ImportResponse | { "type": "filter_request" } & FilterRequest | { "type": "filter_response" } & FilterResponse | { "type": "export_http_request_request" } & ExportHttpRequestRequest | { "type": "export_http_request_response" } & ExportHttpRequestResponse | { "type": "send_http_request_request" } & SendHttpRequestRequest | { "type": "send_http_request_response" } & SendHttpRequestResponse | { "type": "list_cookie_names_request" } & ListCookieNamesRequest | { "type": "list_cookie_names_response" } & ListCookieNamesResponse | { "type": "get_cookie_value_request" } & GetCookieValueRequest | { "type": "get_cookie_value_response" } & GetCookieValueResponse | { "type": "get_http_request_actions_request" } & EmptyPayload | { "type": "get_http_request_actions_response" } & GetHttpRequestActionsResponse | { "type": "call_http_request_action_request" } & CallHttpRequestActionRequest | { "type": "get_grpc_request_actions_request" } & EmptyPayload | { "type": "get_grpc_request_actions_response" } & GetGrpcRequestActionsResponse | { "type": "call_grpc_request_action_request" } & CallGrpcRequestActionRequest | { "type": "get_template_function_summary_request" } & EmptyPayload | { "type": "get_template_function_summary_response" } & GetTemplateFunctionSummaryResponse | { "type": "get_template_function_config_request" } & GetTemplateFunctionConfigRequest | { "type": "get_template_function_config_response" } & GetTemplateFunctionConfigResponse | { "type": "call_template_function_request" } & CallTemplateFunctionRequest | { "type": "call_template_function_response" } & CallTemplateFunctionResponse | { "type": "get_http_authentication_summary_request" } & EmptyPayload | { "type": "get_http_authentication_summary_response" } & GetHttpAuthenticationSummaryResponse | { "type": "get_http_authentication_config_request" } & GetHttpAuthenticationConfigRequest | { "type": "get_http_authentication_config_response" } & GetHttpAuthenticationConfigResponse | { "type": "call_http_authentication_request" } & CallHttpAuthenticationRequest | { "type": "call_http_authentication_response" } & CallHttpAuthenticationResponse | { "type": "call_http_authentication_action_request" } & CallHttpAuthenticationActionRequest | { "type": "call_http_authentication_action_response" } & EmptyPayload | { "type": "copy_text_request" } & CopyTextRequest | { "type": "copy_text_response" } & EmptyPayload | { "type": "render_http_request_request" } & RenderHttpRequestRequest | { "type": "render_http_request_response" } & RenderHttpRequestResponse | { "type": "render_grpc_request_request" } & RenderGrpcRequestRequest | { "type": "render_grpc_request_response" } & RenderGrpcRequestResponse | { "type": "template_render_request" } & TemplateRenderRequest | { "type": "template_render_response" } & TemplateRenderResponse | { "type": "get_key_value_request" } & GetKeyValueRequest | { "type": "get_key_value_response" } & GetKeyValueResponse | { "type": "set_key_value_request" } & SetKeyValueRequest | { "type": "set_key_value_response" } & SetKeyValueResponse | { "type": "delete_key_value_request" } & DeleteKeyValueRequest | { "type": "delete_key_value_response" } & DeleteKeyValueResponse | { "type": "open_window_request" } & OpenWindowRequest | { "type": "window_navigate_event" } & WindowNavigateEvent | { "type": "window_close_event" } | { "type": "close_window_request" } & CloseWindowRequest | { "type": "show_toast_request" } & ShowToastRequest | { "type": "show_toast_response" } & EmptyPayload | { "type": "prompt_text_request" } & PromptTextRequest | { "type": "prompt_text_response" } & PromptTextResponse | { "type": "window_info_request" } & WindowInfoRequest | { "type": "window_info_response" } & WindowInfoResponse | { "type": "get_http_request_by_id_request" } & GetHttpRequestByIdRequest | { "type": "get_http_request_by_id_response" } & GetHttpRequestByIdResponse | { "type": "find_http_responses_request" } & FindHttpResponsesRequest | { "type": "find_http_responses_response" } & FindHttpResponsesResponse | { "type": "get_themes_request" } & GetThemesRequest | { "type": "get_themes_response" } & GetThemesResponse | { "type": "empty_response" } & EmptyPayload | { "type": "error_response" } & ErrorResponse;

 export type JsonPrimitive = string | number | boolean | null;

@@ -386,13 +405,13 @@ export type OpenWindowRequest = { url: string,
 */
 label: string, title?: string, size?: WindowSize, dataDirKey?: string, };

-export type PluginWindowContext = { "type": "none" } | { "type": "label", label: string, workspace_id: string | null, };
+export type PluginContext = { id: string, label: string | null, workspaceId: string | null, };

 export type PromptTextRequest = { id: string, title: string, label: string, description?: string, defaultValue?: string, placeholder?: string, 
 /**
 * Text to add to the confirmation button
 */
-confirmText?: string, 
+confirmText?: string, password?: boolean, 
 /**
 * Text to add to the cancel button
 */
@@ -404,6 +423,12 @@ required?: boolean, };

 export type PromptTextResponse = { value: string | null, };

+export type ReloadResponse = { silent: boolean, };
+
+export type RenderGrpcRequestRequest = { grpcRequest: GrpcRequest, purpose: RenderPurpose, };
+
+export type RenderGrpcRequestResponse = { grpcRequest: GrpcRequest, };
+
 export type RenderHttpRequestRequest = { httpRequest: HttpRequest, purpose: RenderPurpose, };

 export type RenderHttpRequestResponse = { httpRequest: HttpRequest, };
@@ -418,24 +443,60 @@ export type SetKeyValueRequest = { key: string, value: string, };

 export type SetKeyValueResponse = {};

-export type ShowToastRequest = { message: string, color?: Color, icon?: Icon, };
+export type ShowToastRequest = { message: string, color?: Color, icon?: Icon, timeout?: number, };

-export type TemplateFunction = { name: string, description?: string, 
+export type TemplateFunction = { name: string, previewType?: TemplateFunctionPreviewType, description?: string, 
 /**
 * Also support alternative names. This is useful for not breaking existing
 * tags when changing the `name` property
 */
-aliases?: Array<string>, args: Array<TemplateFunctionArg>, };
+aliases?: Array<string>, args: Array<TemplateFunctionArg>, 
+/**
+ * A list of arg names to show in the inline preview. If not provided, none will be shown (for privacy reasons).
+ */
+previewArgs?: Array<string>, };

 /**
 * Similar to FormInput, but contains
 */
 export type TemplateFunctionArg = FormInput;

+export type TemplateFunctionPreviewType = "live" | "click" | "none";
+
 export type TemplateRenderRequest = { data: JsonValue, purpose: RenderPurpose, };

 export type TemplateRenderResponse = { data: JsonValue, };

+export type Theme = { 
+/**
+ * How the theme is identified. This should never be changed
+ */
+id: string, 
+/**
+ * The friendly name of the theme to be displayed to the user
+ */
+label: string, 
+/**
+ * Whether the theme will be used for dark or light appearance
+ */
+dark: boolean, 
+/**
+ * The default top-level colors for the theme
+ */
+base: ThemeComponentColors, 
+/**
+ * Optionally override theme for individual UI components for more control
+ */
+components?: ThemeComponents, };
+
+export type ThemeComponentColors = { surface?: string, surfaceHighlight?: string, surfaceActive?: string, text?: string, textSubtle?: string, textSubtlest?: string, border?: string, borderSubtle?: string, borderFocus?: string, shadow?: string, backdrop?: string, selection?: string, primary?: string, secondary?: string, info?: string, success?: string, notice?: string, warning?: string, danger?: string, };
+
+export type ThemeComponents = { dialog?: ThemeComponentColors, menu?: ThemeComponentColors, toast?: ThemeComponentColors, sidebar?: ThemeComponentColors, responsePane?: ThemeComponentColors, appHeader?: ThemeComponentColors, button?: ThemeComponentColors, banner?: ThemeComponentColors, templateTag?: ThemeComponentColors, urlBar?: ThemeComponentColors, editor?: ThemeComponentColors, input?: ThemeComponentColors, };
+
+export type WindowInfoRequest = { label: string, };
+
+export type WindowInfoResponse = { requestId: string | null, environmentId: string | null, workspaceId: string | null, label: string, };
+
 export type WindowNavigateEvent = { url: string, };

 export type WindowSize = { width: number, height: number, };
@@ -1,6 +1,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type Environment = { model: "environment", id: string, workspaceId: string, createdAt: string, updatedAt: string, name: string, public: boolean, base: boolean, variables: Array<EnvironmentVariable>, color: string | null, };
+export type Environment = { model: "environment", id: string, workspaceId: string, createdAt: string, updatedAt: string, name: string, public: boolean, parentModel: string, parentId: string | null, variables: Array<EnvironmentVariable>, color: string | null, sortPriority: number, };

 export type EnvironmentVariable = { enabled?: boolean, name: string, value: string, id?: string, };

@@ -0,0 +1,5 @@
+// This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.
+
+export type PluginMetadata = { version: string, name: string, displayName: string, description: string | null, homepageUrl: string | null, repositoryUrl: string | null, };
+
+export type PluginVersion = { id: string, version: string, url: string, description: string | null, name: string, displayName: string, homepageUrl: string | null, repositoryUrl: string | null, checksum: string, readme: string | null, yanked: boolean, };
@@ -3,22 +3,37 @@ import {
  CallHttpAuthenticationRequest,
  CallHttpAuthenticationResponse,
  FormInput,
-  GetHttpAuthenticationConfigRequest,
  GetHttpAuthenticationSummaryResponse,
  HttpAuthenticationAction,
 } from '../bindings/gen_events';
 import { MaybePromise } from '../helpers';
 import { Context } from './Context';

-type DynamicFormInput = FormInput & {
-  dynamic(
+type AddDynamicMethod<T> = {
+  dynamic?: (
    ctx: Context,
-    args: GetHttpAuthenticationConfigRequest,
-  ): MaybePromise<Partial<FormInput> | undefined | null>;
+    args: CallHttpAuthenticationActionArgs,
+  ) => MaybePromise<Partial<T> | null | undefined>;
 };

+type AddDynamic<T> = T extends any
+  ? T extends { inputs?: FormInput[] }
+    ? Omit<T, 'inputs'> & {
+        inputs: Array<AddDynamic<FormInput>>;
+        dynamic?: (
+          ctx: Context,
+          args: CallHttpAuthenticationActionArgs,
+        ) => MaybePromise<
+          Partial<Omit<T, 'inputs'> & { inputs: Array<AddDynamic<FormInput>> }> | null | undefined
+        >;
+      }
+    : T & AddDynamicMethod<T>
+  : never;
+
+export type DynamicAuthenticationArg = AddDynamic<FormInput>;
+
 export type AuthenticationPlugin = GetHttpAuthenticationSummaryResponse & {
-  args: (FormInput | DynamicFormInput)[];
+  args: DynamicAuthenticationArg[];
  onApply(
    ctx: Context,
    args: CallHttpAuthenticationRequest,
@@ -9,14 +9,16 @@ import type {
  OpenWindowRequest,
  PromptTextRequest,
  PromptTextResponse,
+  RenderGrpcRequestRequest,
+  RenderGrpcRequestResponse,
  RenderHttpRequestRequest,
  RenderHttpRequestResponse,
  SendHttpRequestRequest,
  SendHttpRequestResponse,
  ShowToastRequest,
  TemplateRenderRequest,
-  TemplateRenderResponse,
 } from '../bindings/gen_events.ts';
+import type { JsonValue } from '../bindings/serde_json/JsonValue';

 export interface Context {
  clipboard: {
@@ -34,6 +36,9 @@ export interface Context {
    delete(key: string): Promise<boolean>;
  };
  window: {
+    requestId(): Promise<string | null>;
+    workspaceId(): Promise<string | null>;
+    environmentId(): Promise<string | null>;
    openUrl(
      args: OpenWindowRequest & {
        onNavigate?: (args: { url: string }) => void;
@@ -45,6 +50,9 @@ export interface Context {
    listNames(): Promise<ListCookieNamesResponse['names']>;
    getValue(args: GetCookieValueRequest): Promise<GetCookieValueResponse['value']>;
  };
+  grpcRequest: {
+    render(args: RenderGrpcRequestRequest): Promise<RenderGrpcRequestResponse['grpcRequest']>;
+  };
  httpRequest: {
    send(args: SendHttpRequestRequest): Promise<SendHttpRequestResponse['httpResponse']>;
    getById(args: GetHttpRequestByIdRequest): Promise<GetHttpRequestByIdResponse['httpRequest']>;
@@ -54,6 +62,9 @@ export interface Context {
    find(args: FindHttpResponsesRequest): Promise<FindHttpResponsesResponse['httpResponses']>;
  };
  templates: {
-    render(args: TemplateRenderRequest): Promise<TemplateRenderResponse['data']>;
+    render<T extends JsonValue>(args: TemplateRenderRequest & { data: T }): Promise<T>;
+  };
+  plugin: {
+    reload(): void;
  };
 }
@@ -1,12 +1,11 @@
+import { FilterResponse } from '../bindings/gen_events';
 import type { Context } from './Context';

-type FilterPluginResponse = { filtered: string };
-
 export type FilterPlugin = {
  name: string;
  description?: string;
  onFilter(
    ctx: Context,
    args: { payload: string; filter: string; mimeType: string },
-  ): Promise<FilterPluginResponse> | FilterPluginResponse;
+  ): Promise<FilterResponse> | FilterResponse;
 };
@@ -0,0 +1,6 @@
+import { CallGrpcRequestActionArgs, GrpcRequestAction } from '../bindings/gen_events';
+import type { Context } from './Context';
+
+export type GrpcRequestActionPlugin = GrpcRequestAction & {
+  onSelect(ctx: Context, args: CallGrpcRequestActionArgs): Promise<void> | void;
+};
@@ -1,5 +1,5 @@
 import { ImportResources } from '../bindings/gen_events';
-import { AtLeast } from '../helpers';
+import { AtLeast, MaybePromise } from '../helpers';
 import type { Context } from './Context';

 type RootFields = 'name' | 'id' | 'model';
@@ -21,5 +21,8 @@ export type ImportPluginResponse = null | {
 export type ImporterPlugin = {
  name: string;
  description?: string;
-  onImport(ctx: Context, args: { text: string }): Promise<ImportPluginResponse>;
+  onImport(
+    ctx: Context,
+    args: { text: string },
+  ): MaybePromise<ImportPluginResponse | null | undefined>;
 };
@@ -1,12 +1,31 @@
-import {
-  CallTemplateFunctionArgs,
-  TemplateFunction,
-} from "../bindings/gen_events";
-import { Context } from "./Context";
+import { CallTemplateFunctionArgs, FormInput, TemplateFunction } from '../bindings/gen_events';
+import { MaybePromise } from '../helpers';
+import { Context } from './Context';

-export type TemplateFunctionPlugin = TemplateFunction & {
-  onRender(
+type AddDynamicMethod<T> = {
+  dynamic?: (
    ctx: Context,
    args: CallTemplateFunctionArgs,
-  ): Promise<string | null>;
+  ) => MaybePromise<Partial<T> | null | undefined>;
+};
+
+type AddDynamic<T> = T extends any
+  ? T extends { inputs?: FormInput[] }
+    ? Omit<T, 'inputs'> & {
+        inputs: Array<AddDynamic<FormInput>>;
+        dynamic?: (
+          ctx: Context,
+          args: CallTemplateFunctionArgs,
+        ) => MaybePromise<
+          Partial<Omit<T, 'inputs'> & { inputs: Array<AddDynamic<FormInput>> }> | null | undefined
+        >;
+      }
+    : T & AddDynamicMethod<T>
+  : never;
+
+export type DynamicTemplateFunctionArg = AddDynamic<FormInput>;
+
+export type TemplateFunctionPlugin = Omit<TemplateFunction, 'args'> & {
+  args: DynamicTemplateFunctionArg[];
+  onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null>;
 };
@@ -1,8 +1,3 @@
-import { Index } from "../themes";
-import { Context } from "./Context";
+import { Theme } from '../bindings/gen_events';

-export type ThemePlugin = {
-  name: string;
-  description?: string;
-  getTheme(ctx: Context, fileContents: string): Promise<Index>;
-};
+export type ThemePlugin = Theme;
@@ -1,20 +1,29 @@
 import { AuthenticationPlugin } from './AuthenticationPlugin';
+
+import type { Context } from './Context';
 import type { FilterPlugin } from './FilterPlugin';
+import { GrpcRequestActionPlugin } from './GrpcRequestActionPlugin';
 import type { HttpRequestActionPlugin } from './HttpRequestActionPlugin';
 import type { ImporterPlugin } from './ImporterPlugin';
 import type { TemplateFunctionPlugin } from './TemplateFunctionPlugin';
 import type { ThemePlugin } from './ThemePlugin';

-export type { Context } from './Context';
+export type { Context };
+export type { DynamicTemplateFunctionArg } from './TemplateFunctionPlugin';
+export type { DynamicAuthenticationArg } from './AuthenticationPlugin';
+export type { TemplateFunctionPlugin };

 /**
 * The global structure of a Yaak plugin
 */
 export type PluginDefinition = {
+  init?: (ctx: Context) => void | Promise<void>;
+  dispose?: () => void | Promise<void>;
  importer?: ImporterPlugin;
-  theme?: ThemePlugin;
+  themes?: ThemePlugin[];
  filter?: FilterPlugin;
  authentication?: AuthenticationPlugin;
  httpRequestActions?: HttpRequestActionPlugin[];
+  grpcRequestActions?: GrpcRequestActionPlugin[];
  templateFunctions?: TemplateFunctionPlugin[];
 };
@@ -2,12 +2,17 @@
  "compilerOptions": {
    "module": "node16",
    "target": "es6",
-    "lib": ["es2021"],
+    "lib": [
+      "es2021",
+      "dom"
+    ],
    "declaration": true,
    "declarationDir": "./lib",
    "outDir": "./lib",
    "strict": true,
-    "types": ["node"]
+    "types": [
+      "node"
+    ]
  },
  "files": [
    "src/index.ts"
@@ -1,3 +1,4 @@
+import { PluginContext } from '@yaakapp-internal/plugins';
 import type { BootRequest, InternalEvent } from '@yaakapp/api';
 import type { EventChannel } from './EventChannel';
 import { PluginInstance, PluginWorkerData } from './PluginInstance';
@@ -6,14 +7,12 @@ export class PluginHandle {
  #instance: PluginInstance;

  constructor(
-    readonly pluginRefId: string,
-    readonly bootRequest: BootRequest,
-    readonly pluginToAppEvents: EventChannel,
+    pluginRefId: string,
+    context: PluginContext,
+    bootRequest: BootRequest,
+    pluginToAppEvents: EventChannel,
  ) {
-    const workerData: PluginWorkerData = {
-      pluginRefId: this.pluginRefId,
-      bootRequest: this.bootRequest,
-    };
+    const workerData: PluginWorkerData = { pluginRefId, context, bootRequest };
    this.#instance = new PluginInstance(workerData, pluginToAppEvents);
  }

@@ -21,7 +20,7 @@ export class PluginHandle {
    this.#instance.postMessage(event);
  }

-  terminate() {
-    this.#instance.terminate();
+  async terminate() {
+    await this.#instance.terminate();
  }
 }
@@ -1,42 +1,44 @@
+import { applyFormInputDefaults, validateTemplateFunctionArgs } from '@yaakapp-internal/lib/templateFunction';
 import {
  BootRequest,
  DeleteKeyValueResponse,
  FindHttpResponsesResponse,
-  FormInput,
  GetCookieValueRequest,
  GetCookieValueResponse,
  GetHttpRequestByIdResponse,
  GetKeyValueResponse,
+  GrpcRequestAction,
  HttpAuthenticationAction,
  HttpRequestAction,
  InternalEvent,
  InternalEventPayload,
  ListCookieNamesResponse,
-  PluginWindowContext,
+  PluginContext,
  PromptTextResponse,
+  RenderGrpcRequestResponse,
  RenderHttpRequestResponse,
  SendHttpRequestResponse,
  TemplateFunction,
-  TemplateFunctionArg,
  TemplateRenderResponse,
+  WindowInfoResponse,
 } from '@yaakapp-internal/plugins';
 import { Context, PluginDefinition } from '@yaakapp/api';
-import { JsonValue } from '@yaakapp/api/lib/bindings/serde_json/JsonValue';
 import console from 'node:console';
-import { readFileSync, type Stats, statSync, watch } from 'node:fs';
+import { type Stats, statSync, watch } from 'node:fs';
 import path from 'node:path';
+import { applyDynamicFormInput } from './common';
 import { EventChannel } from './EventChannel';
 import { migrateTemplateFunctionSelectOptions } from './migrations';

 export interface PluginWorkerData {
  bootRequest: BootRequest;
  pluginRefId: string;
+  context: PluginContext;
 }

 export class PluginInstance {
  #workerData: PluginWorkerData;
  #mod: PluginDefinition;
-  #pkg: { name?: string; version?: string };
  #pluginToAppEvents: EventChannel;
  #appToPluginEvents: EventChannel;

@@ -50,11 +52,20 @@ export class PluginInstance {
      await this.#onMessage(event);
    });

-    // Reload plugin if the JS or package.json changes
-    const windowContextNone: PluginWindowContext = { type: 'none' };
+    this.#mod = {} as any;
+
    const fileChangeCallback = async () => {
+      await this.#mod?.dispose?.();
      this.#importModule();
-      return this.#sendPayload(windowContextNone, { type: 'reload_response' }, null);
+      await this.#mod?.init?.(this.#newCtx(workerData.context));
+      return this.#sendPayload(
+        workerData.context,
+        {
+          type: 'reload_response',
+          silent: false,
+        },
+        null,
+      );
    };

    if (this.#workerData.bootRequest.watch) {
@@ -62,12 +73,6 @@ export class PluginInstance {
      watchFile(this.#pathPkg(), fileChangeCallback);
    }

-    this.#mod = {};
-    this.#pkg = JSON.parse(readFileSync(this.#pathPkg(), 'utf8'));
-
-    // TODO: Re-implement this now that we're not using workers
-    // prefixStdout(`[plugin][${this.#pkg.name}] %s`);
-
    this.#importModule();
  }

@@ -75,23 +80,20 @@ export class PluginInstance {
    this.#appToPluginEvents.emit(event);
  }

-  terminate() {
+  async terminate() {
+    await this.#mod?.dispose?.();
    this.#unimportModule();
  }

  async #onMessage(event: InternalEvent) {
-    const ctx = this.#newCtx(event);
+    const ctx = this.#newCtx(event.context);
+
+    const { context, payload, id: replyId } = event;

-    const { windowContext, payload, id: replyId } = event;
    try {
      if (payload.type === 'boot_request') {
-        // console.log('Plugin initialized', pkg.name, { capabilities, enableWatch });
-        const payload: InternalEventPayload = {
-          type: 'boot_response',
-          name: this.#pkg.name ?? 'unknown',
-          version: this.#pkg.version ?? '0.0.1',
-        };
-        this.#sendPayload(windowContext, payload, replyId);
+        await this.#mod?.init?.(ctx);
+        this.#sendPayload(context, { type: 'boot_response' }, replyId);
        return;
      }

@@ -99,7 +101,8 @@ export class PluginInstance {
        const payload: InternalEventPayload = {
          type: 'terminate_response',
        };
-        this.#sendPayload(windowContext, payload, replyId);
+        await this.terminate();
+        this.#sendPayload(context, payload, replyId);
        return;
      }

@@ -116,10 +119,10 @@ export class PluginInstance {
            // deno-lint-ignore no-explicit-any
            resources: reply.resources as any,
          };
-          this.#sendPayload(windowContext, replyPayload, replyId);
+          this.#sendPayload(context, replyPayload, replyId);
          return;
        } else {
-          // Continue, to send back an empty reply
+          // Send back an empty reply (below)
        }
      }

@@ -129,11 +132,25 @@ export class PluginInstance {
          payload: payload.content,
          mimeType: payload.type,
        });
+        this.#sendPayload(context, { type: 'filter_response', ...reply }, replyId);
+        return;
+      }
+
+      if (
+        payload.type === 'get_grpc_request_actions_request' &&
+        Array.isArray(this.#mod?.grpcRequestActions)
+      ) {
+        const reply: GrpcRequestAction[] = this.#mod.grpcRequestActions.map((a) => ({
+          ...a,
+          // Add everything except onSelect
+          onSelect: undefined,
+        }));
        const replyPayload: InternalEventPayload = {
-          type: 'filter_response',
-          content: reply.filtered,
+          type: 'get_grpc_request_actions_response',
+          pluginRefId: this.#workerData.pluginRefId,
+          actions: reply,
        };
-        this.#sendPayload(windowContext, replyPayload, replyId);
+        this.#sendPayload(context, replyPayload, replyId);
        return;
      }

@@ -151,56 +168,83 @@ export class PluginInstance {
          pluginRefId: this.#workerData.pluginRefId,
          actions: reply,
        };
-        this.#sendPayload(windowContext, replyPayload, replyId);
+        this.#sendPayload(context, replyPayload, replyId);
+        return;
+      }
+
+      if (payload.type === 'get_themes_request' && Array.isArray(this.#mod?.themes)) {
+        const replyPayload: InternalEventPayload = {
+          type: 'get_themes_response',
+          themes: this.#mod.themes,
+        };
+        this.#sendPayload(context, replyPayload, replyId);
        return;
      }

      if (
-        payload.type === 'get_template_functions_request' &&
+        payload.type === 'get_template_function_summary_request' &&
        Array.isArray(this.#mod?.templateFunctions)
      ) {
-        const reply: TemplateFunction[] = this.#mod.templateFunctions.map((templateFunction) => {
-          return {
-            ...migrateTemplateFunctionSelectOptions(templateFunction),
-            // Add everything except render
-            onRender: undefined,
-          };
-        });
+        const functions: TemplateFunction[] = this.#mod.templateFunctions.map(
+          (templateFunction) => {
+            return {
+              ...migrateTemplateFunctionSelectOptions(templateFunction),
+              // Add everything except render
+              onRender: undefined,
+            };
+          },
+        );
        const replyPayload: InternalEventPayload = {
-          type: 'get_template_functions_response',
+          type: 'get_template_function_summary_response',
          pluginRefId: this.#workerData.pluginRefId,
-          functions: reply,
+          functions,
        };
-        this.#sendPayload(windowContext, replyPayload, replyId);
+        this.#sendPayload(context, replyPayload, replyId);
+        return;
+      }
+
+      if (
+        payload.type === 'get_template_function_config_request' &&
+        Array.isArray(this.#mod?.templateFunctions)
+      ) {
+        let templateFunction = this.#mod.templateFunctions.find((f) => f.name === payload.name);
+        if (templateFunction == null) {
+          this.#sendEmpty(context, replyId);
+          return;
+        }
+
+        const fn = {
+          ...migrateTemplateFunctionSelectOptions(templateFunction),
+          onRender: undefined,
+        };
+
+        payload.values = applyFormInputDefaults(fn.args, payload.values);
+        const p = { ...payload, purpose: 'preview' } as const;
+        const resolvedArgs = await applyDynamicFormInput(ctx, fn.args, p);
+
+        const replyPayload: InternalEventPayload = {
+          type: 'get_template_function_config_response',
+          pluginRefId: this.#workerData.pluginRefId,
+          function: { ...fn, args: resolvedArgs },
+        };
+        this.#sendPayload(context, replyPayload, replyId);
        return;
      }

      if (payload.type === 'get_http_authentication_summary_request' && this.#mod?.authentication) {
-        const { name, shortLabel, label } = this.#mod.authentication;
        const replyPayload: InternalEventPayload = {
          type: 'get_http_authentication_summary_response',
-          name,
-          label,
-          shortLabel,
+          ...this.#mod.authentication,
        };

-        this.#sendPayload(windowContext, replyPayload, replyId);
+        this.#sendPayload(context, replyPayload, replyId);
        return;
      }

      if (payload.type === 'get_http_authentication_config_request' && this.#mod?.authentication) {
        const { args, actions } = this.#mod.authentication;
-        const resolvedArgs: FormInput[] = [];
-        for (let i = 0; i < args.length; i++) {
-          let v = args[i];
-          if ('dynamic' in v) {
-            const dynamicAttrs = await v.dynamic(ctx, payload);
-            const { dynamic, ...other } = v;
-            resolvedArgs.push({ ...other, ...dynamicAttrs } as FormInput);
-          } else {
-            resolvedArgs.push(v);
-          }
-        }
+        payload.values = applyFormInputDefaults(args, payload.values);
+        const resolvedArgs = await applyDynamicFormInput(ctx, args, payload);
        const resolvedActions: HttpAuthenticationAction[] = [];
        for (const { onSelect, ...action } of actions ?? []) {
          resolvedActions.push(action);
@@ -213,20 +257,20 @@ export class PluginInstance {
          pluginRefId: this.#workerData.pluginRefId,
        };

-        this.#sendPayload(windowContext, replyPayload, replyId);
+        this.#sendPayload(context, replyPayload, replyId);
        return;
      }

      if (payload.type === 'call_http_authentication_request' && this.#mod?.authentication) {
        const auth = this.#mod.authentication;
        if (typeof auth?.onApply === 'function') {
-          applyFormInputDefaults(auth.args, payload.values);
-          const result = await auth.onApply(ctx, payload);
+          auth.args = await applyDynamicFormInput(ctx, auth.args, payload);
+          payload.values = applyFormInputDefaults(auth.args, payload.values);
          this.#sendPayload(
-            windowContext,
+            context,
            {
              type: 'call_http_authentication_response',
-              setHeaders: result.setHeaders,
+              ...(await auth.onApply(ctx, payload)),
            },
            replyId,
          );
@@ -241,7 +285,7 @@ export class PluginInstance {
        const action = this.#mod.authentication.actions?.[payload.index];
        if (typeof action?.onSelect === 'function') {
          await action.onSelect(ctx, payload.args);
-          this.#sendEmpty(windowContext, replyId);
+          this.#sendEmpty(context, replyId);
          return;
        }
      }
@@ -253,7 +297,19 @@ export class PluginInstance {
        const action = this.#mod.httpRequestActions[payload.index];
        if (typeof action?.onSelect === 'function') {
          await action.onSelect(ctx, payload.args);
-          this.#sendEmpty(windowContext, replyId);
+          this.#sendEmpty(context, replyId);
+          return;
+        }
+      }
+
+      if (
+        payload.type === 'call_grpc_request_action_request' &&
+        Array.isArray(this.#mod.grpcRequestActions)
+      ) {
+        const action = this.#mod.grpcRequestActions[payload.index];
+        if (typeof action?.onSelect === 'function') {
+          await action.onSelect(ctx, payload.args);
+          this.#sendEmpty(context, replyId);
          return;
        }
      }
@@ -263,33 +319,63 @@ export class PluginInstance {
        Array.isArray(this.#mod?.templateFunctions)
      ) {
        const fn = this.#mod.templateFunctions.find((a) => a.name === payload.name);
-        if (typeof fn?.onRender === 'function') {
-          applyFormInputDefaults(fn.args, payload.args.values);
-          const result = await fn.onRender(ctx, payload.args);
+        if (
+          payload.args.purpose === 'preview' &&
+          (fn?.previewType === 'click' || fn?.previewType === 'none')
+        ) {
+          // Send empty render response
          this.#sendPayload(
-            windowContext,
+            context,
            {
              type: 'call_template_function_response',
-              value: result ?? null,
+              value: null,
+              error: 'Live preview disabled for this function',
            },
            replyId,
          );
+        } else if (typeof fn?.onRender === 'function') {
+          const resolvedArgs = await applyDynamicFormInput(ctx, fn.args, payload.args);
+          const values = applyFormInputDefaults(resolvedArgs, payload.args.values);
+          const error = validateTemplateFunctionArgs(fn.name, resolvedArgs, values);
+          if (error && payload.args.purpose !== 'preview') {
+            this.#sendPayload(
+              context,
+              { type: 'call_template_function_response', value: null, error },
+              replyId,
+            );
+            return;
+          }
+
+          try {
+            const result = await fn.onRender(ctx, { ...payload.args, values });
+            this.#sendPayload(
+              context,
+              { type: 'call_template_function_response', value: result ?? null },
+              replyId,
+            );
+          } catch (err) {
+            this.#sendPayload(
+              context,
+              {
+                type: 'call_template_function_response',
+                value: null,
+                error: `${err}`.replace(/^Error:\s*/g, ''),
+              },
+              replyId,
+            );
+          }
          return;
        }
      }
-
-      if (payload.type === 'reload_request') {
-        this.#importModule();
-      }
    } catch (err) {
      const error = `${err}`.replace(/^Error:\s*/g, '');
      console.log('Plugin call threw exception', payload.type, '→', error);
-      this.#sendPayload(windowContext, { type: 'error_response', error }, replyId);
+      this.#sendPayload(context, { type: 'error_response', error }, replyId);
      return;
    }

    // No matches, so send back an empty response so the caller doesn't block forever
-    this.#sendEmpty(windowContext, replyId);
+    this.#sendEmpty(context, replyId);
  }

  #pathMod() {
@@ -312,7 +398,7 @@ export class PluginInstance {
  }

  #buildEventToSend(
-    windowContext: PluginWindowContext,
+    context: PluginContext,
    payload: InternalEventPayload,
    replyId: string | null = null,
  ): InternalEvent {
@@ -322,16 +408,16 @@ export class PluginInstance {
      id: genId(),
      replyId,
      payload,
-      windowContext,
+      context,
    };
  }

  #sendPayload(
-    windowContext: PluginWindowContext,
+    context: PluginContext,
    payload: InternalEventPayload,
    replyId: string | null,
  ): string {
-    const event = this.#buildEventToSend(windowContext, payload, replyId);
+    const event = this.#buildEventToSend(context, payload, replyId);
    this.#sendEvent(event);
    return event.id;
  }
@@ -343,16 +429,16 @@ export class PluginInstance {
    this.#pluginToAppEvents.emit(event);
  }

-  #sendEmpty(windowContext: PluginWindowContext, replyId: string | null = null): string {
-    return this.#sendPayload(windowContext, { type: 'empty_response' }, replyId);
+  #sendEmpty(context: PluginContext, replyId: string | null = null): string {
+    return this.#sendPayload(context, { type: 'empty_response' }, replyId);
  }

-  #sendAndWaitForReply<T extends Omit<InternalEventPayload, 'type'>>(
-    windowContext: PluginWindowContext,
+  #sendForReply<T extends Omit<InternalEventPayload, 'type'>>(
+    context: PluginContext,
    payload: InternalEventPayload,
  ): Promise<T> {
    // 1. Build event to send
-    const eventToSend = this.#buildEventToSend(windowContext, payload, null);
+    const eventToSend = this.#buildEventToSend(context, payload, null);

    // 2. Spawn listener in background
    const promise = new Promise<T>((resolve) => {
@@ -374,12 +460,12 @@ export class PluginInstance {
  }

  #sendAndListenForEvents(
-    windowContext: PluginWindowContext,
+    context: PluginContext,
    payload: InternalEventPayload,
    onEvent: (event: InternalEventPayload) => void,
  ): void {
    // 1. Build event to send
-    const eventToSend = this.#buildEventToSend(windowContext, payload, null);
+    const eventToSend = this.#buildEventToSend(context, payload, null);

    // 2. Listen for replies in the background
    this.#appToPluginEvents.listen((event: InternalEvent) => {
@@ -392,11 +478,23 @@ export class PluginInstance {
    this.#sendEvent(eventToSend);
  }

-  #newCtx(event: InternalEvent): Context {
+  #newCtx(context: PluginContext): Context {
+    const _windowInfo = async () => {
+      if (context.label == null) {
+        throw new Error("Can't get window context without an active window");
+      }
+      const payload: InternalEventPayload = {
+        type: 'window_info_request',
+        label: context.label,
+      };
+
+      return this.#sendForReply<WindowInfoResponse>(context, payload);
+    };
+
    return {
      clipboard: {
        copyText: async (text) => {
-          await this.#sendAndWaitForReply(event.windowContext, {
+          await this.#sendForReply(context, {
            type: 'copy_text_request',
            text,
          });
@@ -404,13 +502,24 @@ export class PluginInstance {
      },
      toast: {
        show: async (args) => {
-          await this.#sendAndWaitForReply(event.windowContext, {
+          await this.#sendForReply(context, {
            type: 'show_toast_request',
+            // Handle default here because null/undefined both convert to None in Rust translation
+            timeout: args.timeout === undefined ? 5000 : args.timeout,
            ...args,
          });
        },
      },
      window: {
+        requestId: async () => {
+          return (await _windowInfo()).requestId;
+        },
+        async workspaceId(): Promise<string | null> {
+          return (await _windowInfo()).workspaceId;
+        },
+        async environmentId(): Promise<string | null> {
+          return (await _windowInfo()).environmentId;
+        },
        openUrl: async ({ onNavigate, onClose, ...args }) => {
          args.label = args.label || `${Math.random()}`;
          const payload: InternalEventPayload = { type: 'open_window_request', ...args };
@@ -421,21 +530,21 @@ export class PluginInstance {
              onClose?.();
            }
          };
-          this.#sendAndListenForEvents(event.windowContext, payload, onEvent);
+          this.#sendAndListenForEvents(context, payload, onEvent);
          return {
            close: () => {
              const closePayload: InternalEventPayload = {
                type: 'close_window_request',
                label: args.label,
              };
-              this.#sendPayload(event.windowContext, closePayload, null);
+              this.#sendPayload(context, closePayload, null);
            },
          };
        },
      },
      prompt: {
        text: async (args) => {
-          const reply: PromptTextResponse = await this.#sendAndWaitForReply(event.windowContext, {
+          const reply: PromptTextResponse = await this.#sendForReply(context, {
            type: 'prompt_text_request',
            ...args,
          });
@@ -448,21 +557,34 @@ export class PluginInstance {
            type: 'find_http_responses_request',
            ...args,
          } as const;
-          const { httpResponses } = await this.#sendAndWaitForReply<FindHttpResponsesResponse>(
-            event.windowContext,
+          const { httpResponses } = await this.#sendForReply<FindHttpResponsesResponse>(
+            context,
            payload,
          );
          return httpResponses;
        },
      },
+      grpcRequest: {
+        render: async (args) => {
+          const payload = {
+            type: 'render_grpc_request_request',
+            ...args,
+          } as const;
+          const { grpcRequest } = await this.#sendForReply<RenderGrpcRequestResponse>(
+            context,
+            payload,
+          );
+          return grpcRequest;
+        },
+      },
      httpRequest: {
        getById: async (args) => {
          const payload = {
            type: 'get_http_request_by_id_request',
            ...args,
          } as const;
-          const { httpRequest } = await this.#sendAndWaitForReply<GetHttpRequestByIdResponse>(
-            event.windowContext,
+          const { httpRequest } = await this.#sendForReply<GetHttpRequestByIdResponse>(
+            context,
            payload,
          );
          return httpRequest;
@@ -472,8 +594,8 @@ export class PluginInstance {
            type: 'send_http_request_request',
            ...args,
          } as const;
-          const { httpResponse } = await this.#sendAndWaitForReply<SendHttpRequestResponse>(
-            event.windowContext,
+          const { httpResponse } = await this.#sendForReply<SendHttpRequestResponse>(
+            context,
            payload,
          );
          return httpResponse;
@@ -483,8 +605,8 @@ export class PluginInstance {
            type: 'render_http_request_request',
            ...args,
          } as const;
-          const { httpRequest } = await this.#sendAndWaitForReply<RenderHttpRequestResponse>(
-            event.windowContext,
+          const { httpRequest } = await this.#sendForReply<RenderHttpRequestResponse>(
+            context,
            payload,
          );
          return httpRequest;
@@ -496,18 +618,12 @@ export class PluginInstance {
            type: 'get_cookie_value_request',
            ...args,
          } as const;
-          const { value } = await this.#sendAndWaitForReply<GetCookieValueResponse>(
-            event.windowContext,
-            payload,
-          );
+          const { value } = await this.#sendForReply<GetCookieValueResponse>(context, payload);
          return value;
        },
        listNames: async () => {
          const payload = { type: 'list_cookie_names_request' } as const;
-          const { names } = await this.#sendAndWaitForReply<ListCookieNamesResponse>(
-            event.windowContext,
-            payload,
-          );
+          const { names } = await this.#sendForReply<ListCookieNamesResponse>(context, payload);
          return names;
        },
      },
@@ -518,20 +634,14 @@ export class PluginInstance {
         */
        render: async (args) => {
          const payload = { type: 'template_render_request', ...args } as const;
-          const result = await this.#sendAndWaitForReply<TemplateRenderResponse>(
-            event.windowContext,
-            payload,
-          );
-          return result.data;
+          const result = await this.#sendForReply<TemplateRenderResponse>(context, payload);
+          return result.data as any;
        },
      },
      store: {
        get: async <T>(key: string) => {
          const payload = { type: 'get_key_value_request', key } as const;
-          const result = await this.#sendAndWaitForReply<GetKeyValueResponse>(
-            event.windowContext,
-            payload,
-          );
+          const result = await this.#sendForReply<GetKeyValueResponse>(context, payload);
          return result.value ? (JSON.parse(result.value) as T) : undefined;
        },
        set: async <T>(key: string, value: T) => {
@@ -541,17 +651,19 @@ export class PluginInstance {
            key,
            value: valueStr,
          };
-          await this.#sendAndWaitForReply<GetKeyValueResponse>(event.windowContext, payload);
+          await this.#sendForReply<GetKeyValueResponse>(context, payload);
        },
        delete: async (key: string) => {
          const payload = { type: 'delete_key_value_request', key } as const;
-          const result = await this.#sendAndWaitForReply<DeleteKeyValueResponse>(
-            event.windowContext,
-            payload,
-          );
+          const result = await this.#sendForReply<DeleteKeyValueResponse>(context, payload);
          return result.deleted;
        },
      },
+      plugin: {
+        reload: () => {
+          this.#sendPayload(context, { type: 'reload_response', silent: true }, null);
+        },
+      },
    };
  }
 }
@@ -565,34 +677,20 @@ function genId(len = 5): string {
  return id;
 }

-/** Recursively apply form input defaults to a set of values */
-function applyFormInputDefaults(
-  inputs: TemplateFunctionArg[],
-  values: { [p: string]: JsonValue | undefined },
-) {
-  for (const input of inputs) {
-    if ('inputs' in input) {
-      applyFormInputDefaults(input.inputs ?? [], values);
-    } else if ('defaultValue' in input && values[input.name] === undefined) {
-      values[input.name] = input.defaultValue;
-    }
-  }
-}
-
-const watchedFiles: Record<string, Stats> = {};
+const watchedFiles: Record<string, Stats | null> = {};

 /**
- * Watch a file and trigger callback on change.
+ * Watch a file and trigger a callback on change.
 *
 * We also track the stat for each file because fs.watch() will
- * trigger a "change" event when the access date changes
+ * trigger a "change" event when the access date changes.
 */
-function watchFile(filepath: string, cb: (filepath: string) => void) {
+function watchFile(filepath: string, cb: () => void) {
  watch(filepath, () => {
-    const stat = statSync(filepath);
-    if (stat.mtimeMs !== watchedFiles[filepath]?.mtimeMs) {
-      cb(filepath);
+    const stat = statSync(filepath, { throwIfNoEntry: false });
+    if (stat == null || stat.mtimeMs !== watchedFiles[filepath]?.mtimeMs) {
+      watchedFiles[filepath] = stat ?? null;
+      cb();
    }
-    watchedFiles[filepath] = stat;
  });
 }
@@ -0,0 +1,37 @@
+import { CallHttpAuthenticationActionArgs, CallTemplateFunctionArgs } from '@yaakapp-internal/plugins';
+import { Context, DynamicAuthenticationArg, DynamicTemplateFunctionArg } from '@yaakapp/api';
+
+export async function applyDynamicFormInput(
+  ctx: Context,
+  args: DynamicTemplateFunctionArg[],
+  callArgs: CallTemplateFunctionArgs,
+): Promise<DynamicTemplateFunctionArg[]>;
+
+export async function applyDynamicFormInput(
+  ctx: Context,
+  args: DynamicAuthenticationArg[],
+  callArgs: CallHttpAuthenticationActionArgs,
+): Promise<DynamicAuthenticationArg[]>;
+
+export async function applyDynamicFormInput(
+  ctx: Context,
+  args: (DynamicTemplateFunctionArg | DynamicAuthenticationArg)[],
+  callArgs: CallTemplateFunctionArgs | CallHttpAuthenticationActionArgs,
+): Promise<(DynamicTemplateFunctionArg | DynamicAuthenticationArg)[]> {
+  const resolvedArgs: any[] = [];
+  for (const { dynamic, ...arg } of args) {
+    const newArg: any = {
+      ...arg,
+      ...(typeof dynamic === 'function' ? await dynamic(ctx, callArgs as any) : undefined),
+    };
+    if ('inputs' in newArg && Array.isArray(newArg.inputs)) {
+      try {
+        newArg.inputs = await applyDynamicFormInput(ctx, newArg.inputs, callArgs as any);
+      } catch (e) {
+        console.error('Failed to apply dynamic form input', e);
+      }
+    }
+    resolvedArgs.push(newArg);
+  }
+  return resolvedArgs;
+}
@@ -8,10 +8,15 @@ if (!port) {
  throw new Error('Plugin runtime missing PORT')
 }

+const host = process.env.HOST;
+if (!host) {
+  throw new Error('Plugin runtime missing HOST')
+}
+
 const pluginToAppEvents = new EventChannel();
 const plugins: Record<string, PluginHandle> = {};

-const ws = new WebSocket(`ws://localhost:${port}`);
+const ws = new WebSocket(`ws://${host}:${port}`);

 ws.on('message', async (e: Buffer) => {
  try {
@@ -34,7 +39,7 @@ async function handleIncoming(msg: string) {
  const pluginEvent: InternalEvent = JSON.parse(msg);
  // Handle special event to bootstrap plugin
  if (pluginEvent.payload.type === 'boot_request') {
-    const plugin = new PluginHandle(pluginEvent.pluginRefId, pluginEvent.payload, pluginToAppEvents);
+    const plugin = new PluginHandle(pluginEvent.pluginRefId, pluginEvent.context, pluginEvent.payload, pluginToAppEvents);
    plugins[pluginEvent.pluginRefId] = plugin;
  }

@@ -46,10 +51,14 @@ async function handleIncoming(msg: string) {
  }

  if (pluginEvent.payload.type === 'terminate_request') {
-    plugin.terminate();
+    await plugin.terminate();
    console.log('Terminated plugin worker', pluginEvent.pluginRefId);
    delete plugins[pluginEvent.pluginRefId];
  }

  plugin.sendToWorker(pluginEvent);
 }
+
+process.on('unhandledRejection', (reason, promise) => {
+  console.error('Unhandled Rejection at:', promise, 'reason:', reason);
+});
@@ -1,6 +1,8 @@
-import { TemplateFunction } from '@yaakapp/api';
+import type { TemplateFunctionPlugin } from '@yaakapp/api';

-export function migrateTemplateFunctionSelectOptions(f: TemplateFunction): TemplateFunction {
+export function migrateTemplateFunctionSelectOptions(
+  f: TemplateFunctionPlugin,
+): TemplateFunctionPlugin {
  const migratedArgs = f.args.map((a) => {
    if (a.type === 'select') {
      a.options = a.options.map((o) => ({
@@ -11,8 +13,5 @@ export function migrateTemplateFunctionSelectOptions(f: TemplateFunction): Templ
    return a;
  });

-  return {
-    ...f,
-    args: migratedArgs,
-  };
+  return { ...f, args: migratedArgs };
 }
@@ -0,0 +1,150 @@
+import { CallTemplateFunctionArgs } from '@yaakapp-internal/plugins';
+import { Context, DynamicTemplateFunctionArg } from '@yaakapp/api';
+import { describe, expect, test } from 'vitest';
+import { applyDynamicFormInput, applyFormInputDefaults } from '../src/common';
+
+describe('applyFormInputDefaults', () => {
+  test('Works with top-level select', () => {
+    const args: DynamicTemplateFunctionArg[] = [
+      {
+        type: 'select',
+        name: 'test',
+        options: [{ label: 'Option 1', value: 'one' }],
+        defaultValue: 'one',
+      },
+    ];
+    expect(applyFormInputDefaults(args, {})).toEqual({
+      test: 'one',
+    });
+  });
+
+  test('Works with existing value', () => {
+    const args: DynamicTemplateFunctionArg[] = [
+      {
+        type: 'select',
+        name: 'test',
+        options: [{ label: 'Option 1', value: 'one' }],
+        defaultValue: 'one',
+      },
+    ];
+    expect(applyFormInputDefaults(args, { test: 'explicit' })).toEqual({
+      test: 'explicit',
+    });
+  });
+
+  test('Works with recursive select', () => {
+    const args: DynamicTemplateFunctionArg[] = [
+      { type: 'text', name: 'dummy', defaultValue: 'top' },
+      {
+        type: 'accordion',
+        label: 'Test',
+        inputs: [
+          { type: 'text', name: 'name', defaultValue: 'hello' },
+          {
+            type: 'select',
+            name: 'test',
+            options: [{ label: 'Option 1', value: 'one' }],
+            defaultValue: 'one',
+          },
+        ],
+      },
+    ];
+    expect(applyFormInputDefaults(args, {})).toEqual({
+      dummy: 'top',
+      test: 'one',
+      name: 'hello',
+    });
+  });
+
+  test('Works with dynamic options', () => {
+    const args: DynamicTemplateFunctionArg[] = [
+      {
+        type: 'select',
+        name: 'test',
+        defaultValue: 'one',
+        options: [],
+        dynamic() {
+          return { options: [{ label: 'Option 1', value: 'one' }] };
+        },
+      },
+    ];
+    expect(applyFormInputDefaults(args, {})).toEqual({
+      test: 'one',
+    });
+    expect(applyFormInputDefaults(args, {})).toEqual({
+      test: 'one',
+    });
+  });
+});
+
+describe('applyDynamicFormInput', () => {
+  test('Works with plain input', async () => {
+    const ctx = {} as Context;
+    const args: DynamicTemplateFunctionArg[] = [
+      { type: 'text', name: 'name' },
+      { type: 'checkbox', name: 'checked' },
+    ];
+    const callArgs: CallTemplateFunctionArgs = {
+      values: {},
+      purpose: 'preview',
+    };
+    expect(await applyDynamicFormInput(ctx, args, callArgs)).toEqual([
+      { type: 'text', name: 'name' },
+      { type: 'checkbox', name: 'checked' },
+    ]);
+  });
+
+  test('Works with dynamic input', async () => {
+    const ctx = {} as Context;
+    const args: DynamicTemplateFunctionArg[] = [
+      {
+        type: 'text',
+        name: 'name',
+        async dynamic(_ctx, _args) {
+          return { hidden: true };
+        },
+      },
+    ];
+    const callArgs: CallTemplateFunctionArgs = {
+      values: {},
+      purpose: 'preview',
+    };
+    expect(await applyDynamicFormInput(ctx, args, callArgs)).toEqual([
+      { type: 'text', name: 'name', hidden: true },
+    ]);
+  });
+
+  test('Works with recursive dynamic input', async () => {
+    const ctx = {} as Context;
+    const callArgs: CallTemplateFunctionArgs = {
+      values: { hello: 'world' },
+      purpose: 'preview',
+    };
+    const args: DynamicTemplateFunctionArg[] = [
+      {
+        type: 'banner',
+        inputs: [
+          {
+            type: 'text',
+            name: 'name',
+            async dynamic(_ctx, args) {
+              return { hidden: args.values.hello === 'world' };
+            },
+          },
+        ],
+      },
+    ];
+    expect(await applyDynamicFormInput(ctx, args, callArgs)).toEqual([
+      {
+        type: 'banner',
+        inputs: [
+          {
+            type: 'text',
+            name: 'name',
+            hidden: true,
+          },
+        ],
+      },
+    ]);
+  });
+});
@@ -0,0 +1,68 @@
+# Copy as cUrl
+
+A request action plugin for Yaak that converts HTTP requests into [curl](https://curl.se)
+commands, making it easy to share, debug, and execute requests outside Yaak.
+
+![Screenshot of context menu](screenshot.png)
+
+## Overview
+
+This plugin adds a 'Copy as Curl' action to HTTP requests, converting any request into its
+equivalent curl command. This is useful for debugging, sharing requests with team members,
+and executing requests in terminal environments where `curl` is available.
+
+## How It Works
+
+The plugin analyzes the given HTTP request and generates a properly formatted curl command
+that includes:
+
+- HTTP method (GET, POST, PUT, DELETE, etc.)
+- Request URL with query parameters
+- Headers (including authentication headers)
+- Request body (for POST, PUT, PATCH requests)
+- Authentication credentials
+
+## Usage
+
+1. Configure an HTTP request as usual in Yaak
+2. Right-click on the request in the sidebar
+3. Select 'Copy as Curl'
+4. The command is copied to your clipboard
+5. Share or execute the command
+
+## Generated Curl Examples
+
+### Simple GET Request
+
+```bash
+curl -X GET 'https://api.example.com/users' \
+  --header 'Accept: application/json'
+```
+
+### POST Request with JSON Data
+
+```bash
+curl -X POST 'https://api.example.com/users' \
+  --header 'Content-Type: application/json' \
+  --header 'Accept: application/json' \
+  --data '{
+    "name": "John Doe",
+    "email": "john@example.com"
+  }'
+```
+
+### Request with Multi-part Form Data
+
+```bash
+curl -X POST 'yaak.app' \
+  --header 'Content-Type: multipart/form-data' \
+  --form 'hello=world' \
+  --form file=@/path/to/file.json
+```
+
+### Request with Authentication
+
+```bash
+curl -X GET 'https://api.example.com/protected' \
+  --user 'username:password'
+```
@@ -0,0 +1,17 @@
+{
+  "name": "@yaak/action-copy-curl",
+  "displayName": "Copy as Curl",
+  "description": "Copy request as a curl command",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/action-copy-curl"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
+  }
+}
@@ -0,0 +1,173 @@
+import type { HttpRequest, PluginDefinition } from '@yaakapp/api';
+
+const NEWLINE = '\\\n ';
+
+export const plugin: PluginDefinition = {
+  httpRequestActions: [
+    {
+      label: 'Copy as Curl',
+      icon: 'copy',
+      async onSelect(ctx, args) {
+        const rendered_request = await ctx.httpRequest.render({
+          httpRequest: args.httpRequest,
+          purpose: 'preview',
+        });
+        const data = await convertToCurl(rendered_request);
+        await ctx.clipboard.copyText(data);
+        await ctx.toast.show({
+          message: 'Command copied to clipboard',
+          icon: 'copy',
+          color: 'success',
+        });
+      },
+    },
+  ],
+};
+
+export async function convertToCurl(request: Partial<HttpRequest>) {
+  const xs = ['curl'];
+
+  // Add method and URL all on first line
+  if (request.method) xs.push('-X', request.method);
+
+  // Build final URL with parameters (compatible with old curl)
+  let finalUrl = request.url || '';
+  const urlParams = (request.urlParameters ?? []).filter(onlyEnabled);
+  if (urlParams.length > 0) {
+    // Build url
+    const [base, hash] = finalUrl.split('#');
+    const separator = base?.includes('?') ? '&' : '?';
+    const queryString = urlParams
+      .map((p) => `${encodeURIComponent(p.name)}=${encodeURIComponent(p.value)}`)
+      .join('&');
+    finalUrl = base + separator + queryString + (hash ? `#${hash}` : '');
+  }
+
+  // Add API key authentication
+  if (request.authenticationType === 'apikey') {
+    if (request.authentication?.location === 'query') {
+      const sep = finalUrl.includes('?') ? '&' : '?';
+      finalUrl = [
+        finalUrl,
+        sep,
+        encodeURIComponent(request.authentication?.key ?? 'token'),
+        '=',
+        encodeURIComponent(request.authentication?.value ?? ''),
+      ].join('');
+    } else {
+      request.headers = request.headers ?? [];
+      request.headers.push({
+        name: request.authentication?.key ?? 'X-Api-Key',
+        value: request.authentication?.value ?? '',
+      });
+    }
+  }
+
+  xs.push(quote(finalUrl));
+  xs.push(NEWLINE);
+
+  // Add headers
+  for (const h of (request.headers ?? []).filter(onlyEnabled)) {
+    xs.push('--header', quote(`${h.name}: ${h.value}`));
+    xs.push(NEWLINE);
+  }
+
+  // Add form params
+  const type = request.bodyType ?? 'none';
+  if (
+    (type === 'multipart/form-data' || type === 'application/x-www-form-urlencoded') &&
+    Array.isArray(request.body?.form)
+  ) {
+    const flag = request.bodyType === 'multipart/form-data' ? '--form' : '--data';
+    for (const p of (request.body?.form ?? []).filter(onlyEnabled)) {
+      if (p.file) {
+        let v = `${p.name}=@${p.file}`;
+        v += p.contentType ? `;type=${p.contentType}` : '';
+        xs.push(flag, v);
+      } else {
+        xs.push(flag, quote(`${p.name}=${p.value}`));
+      }
+      xs.push(NEWLINE);
+    }
+  } else if (type === 'graphql' && typeof request.body?.query === 'string') {
+    const body = {
+      query: request.body.query || '',
+      variables: maybeParseJSON(request.body.variables, undefined),
+    };
+    xs.push('--data', quote(JSON.stringify(body)));
+    xs.push(NEWLINE);
+  } else if (type !== 'none' && typeof request.body?.text === 'string') {
+    xs.push('--data', quote(request.body.text));
+    xs.push(NEWLINE);
+  }
+
+  // Add basic/digest authentication
+  if (request.authentication?.disabled !== true) {
+    if (request.authenticationType === 'basic' || request.authenticationType === 'digest') {
+      if (request.authenticationType === 'digest') xs.push('--digest');
+      xs.push(
+        '--user',
+        quote(
+          `${request.authentication?.username ?? ''}:${request.authentication?.password ?? ''}`,
+        ),
+      );
+      xs.push(NEWLINE);
+    }
+
+    // Add bearer authentication
+    if (request.authenticationType === 'bearer') {
+      const value =
+        `${request.authentication?.prefix ?? 'Bearer'} ${request.authentication?.token ?? ''}`.trim();
+      xs.push('--header', quote(`Authorization: ${value}`));
+      xs.push(NEWLINE);
+    }
+
+    if (request.authenticationType === 'auth-aws-sig-v4') {
+      xs.push(
+        '--aws-sigv4',
+        [
+          'aws',
+          'amz',
+          request.authentication?.region ?? '',
+          request.authentication?.service ?? '',
+        ].join(':'),
+      );
+      xs.push(NEWLINE);
+      xs.push(
+        '--user',
+        quote(
+          `${request.authentication?.accessKeyId ?? ''}:${request.authentication?.secretAccessKey ?? ''}`,
+        ),
+      );
+      if (request.authentication?.sessionToken) {
+        xs.push(NEWLINE);
+        xs.push('--header', quote(`X-Amz-Security-Token: ${request.authentication.sessionToken}`));
+      }
+      xs.push(NEWLINE);
+    }
+  }
+
+  // Remove trailing newline
+  if (xs[xs.length - 1] === NEWLINE) {
+    xs.splice(xs.length - 1, 1);
+  }
+
+  return xs.join(' ');
+}
+
+function quote(arg: string): string {
+  const escaped = arg.replace(/'/g, "\\'");
+  return `'${escaped}'`;
+}
+
+function onlyEnabled(v: { name?: string; enabled?: boolean }): boolean {
+  return v.enabled !== false && !!v.name;
+}
+
+function maybeParseJSON<T>(v: string, fallback: T) {
+  try {
+    return JSON.parse(v);
+  } catch {
+    return fallback;
+  }
+}
@@ -0,0 +1,414 @@
+import { describe, expect, test } from 'vitest';
+import { convertToCurl } from '../src';
+
+describe('exporter-curl', () => {
+  test('Exports GET with params', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        urlParameters: [
+          { name: 'a', value: 'aaa' },
+          { name: 'b', value: 'bbb', enabled: true },
+          { name: 'c', value: 'ccc', enabled: false },
+        ],
+      }),
+    ).toEqual([`curl 'https://yaak.app?a=aaa&b=bbb'`].join(' \\n  '));
+  });
+
+  test('Exports GET with params and hash', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app/path#section',
+        urlParameters: [
+          { name: 'a', value: 'aaa' },
+          { name: 'b', value: 'bbb', enabled: true },
+          { name: 'c', value: 'ccc', enabled: false },
+        ],
+      }),
+    ).toEqual([`curl 'https://yaak.app/path?a=aaa&b=bbb#section'`].join(' \\n  '));
+  });
+
+  test('Exports POST with url form data', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'POST',
+        bodyType: 'application/x-www-form-urlencoded',
+        body: {
+          form: [
+            { name: 'a', value: 'aaa' },
+            { name: 'b', value: 'bbb', enabled: true },
+            { name: 'c', value: 'ccc', enabled: false },
+          ],
+        },
+      }),
+    ).toEqual(
+      [`curl -X POST 'https://yaak.app'`, `--data 'a=aaa'`, `--data 'b=bbb'`].join(' \\\n  '),
+    );
+  });
+
+  test('Exports POST with GraphQL data', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'POST',
+        bodyType: 'graphql',
+        body: {
+          query: '{foo,bar}',
+          variables: '{"a": "aaa", "b": "bbb"}',
+        },
+      }),
+    ).toEqual(
+      [
+        `curl -X POST 'https://yaak.app'`,
+        `--data '{"query":"{foo,bar}","variables":{"a":"aaa","b":"bbb"}}'`,
+      ].join(' \\\n  '),
+    );
+  });
+
+  test('Exports POST with GraphQL data no variables', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'POST',
+        bodyType: 'graphql',
+        body: {
+          query: '{foo,bar}',
+        },
+      }),
+    ).toEqual(
+      [`curl -X POST 'https://yaak.app'`, `--data '{"query":"{foo,bar}"}'`].join(' \\\n  '),
+    );
+  });
+
+  test('Exports PUT with multipart form', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'PUT',
+        bodyType: 'multipart/form-data',
+        body: {
+          form: [
+            { name: 'a', value: 'aaa' },
+            { name: 'b', value: 'bbb', enabled: true },
+            { name: 'c', value: 'ccc', enabled: false },
+            { name: 'f', file: '/foo/bar.png', contentType: 'image/png' },
+          ],
+        },
+      }),
+    ).toEqual(
+      [
+        `curl -X PUT 'https://yaak.app'`,
+        `--form 'a=aaa'`,
+        `--form 'b=bbb'`,
+        '--form f=@/foo/bar.png;type=image/png',
+      ].join(' \\\n  '),
+    );
+  });
+
+  test('Exports JSON body', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'POST',
+        bodyType: 'application/json',
+        body: {
+          text: `{"foo":"bar's"}`,
+        },
+        headers: [{ name: 'Content-Type', value: 'application/json' }],
+      }),
+    ).toEqual(
+      [
+        `curl -X POST 'https://yaak.app'`,
+        `--header 'Content-Type: application/json'`,
+        `--data '{"foo":"bar\\'s"}'`,
+      ].join(' \\\n  '),
+    );
+  });
+
+  test('Exports multi-line JSON body', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        method: 'POST',
+        bodyType: 'application/json',
+        body: {
+          text: `{"foo":"bar",\n"baz":"qux"}`,
+        },
+        headers: [{ name: 'Content-Type', value: 'application/json' }],
+      }),
+    ).toEqual(
+      [
+        `curl -X POST 'https://yaak.app'`,
+        `--header 'Content-Type: application/json'`,
+        `--data '{"foo":"bar",\n"baz":"qux"}'`,
+      ].join(' \\\n  '),
+    );
+  });
+
+  test('Exports headers', async () => {
+    expect(
+      await convertToCurl({
+        headers: [
+          { name: 'a', value: 'aaa' },
+          { name: 'b', value: 'bbb', enabled: true },
+          { name: 'c', value: 'ccc', enabled: false },
+        ],
+      }),
+    ).toEqual([`curl ''`, `--header 'a: aaa'`, `--header 'b: bbb'`].join(' \\\n  '));
+  });
+
+  test('Basic auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'basic',
+        authentication: {
+          username: 'user',
+          password: 'pass',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--user 'user:pass'`].join(' \\\n  '));
+  });
+
+  test('Basic auth disabled', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'basic',
+        authentication: {
+          disabled: true,
+          username: 'user',
+          password: 'pass',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`].join(' \\\n  '));
+  });
+
+  test('Broken basic auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'basic',
+        authentication: {},
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--user ':'`].join(' \\\n  '));
+  });
+
+  test('Digest auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'digest',
+        authentication: {
+          username: 'user',
+          password: 'pass',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--digest --user 'user:pass'`].join(' \\\n  '));
+  });
+
+  test('Bearer auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          token: 'tok',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: Bearer tok'`].join(' \\\n  '));
+  });
+
+  test('Bearer auth with custom prefix', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          token: 'abc123',
+          prefix: 'Token',
+        },
+      }),
+    ).toEqual(
+      [`curl 'https://yaak.app'`, `--header 'Authorization: Token abc123'`].join(' \\\n  '),
+    );
+  });
+
+  test('Bearer auth with empty prefix', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          token: 'xyz789',
+          prefix: '',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: xyz789'`].join(' \\\n  '));
+  });
+
+  test('Broken bearer auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          username: 'user',
+          password: 'pass',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: Bearer'`].join(' \\\n  '));
+  });
+
+  test('AWS v4 auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'auth-aws-sig-v4',
+        authentication: {
+          accessKeyId: 'ak',
+          secretAccessKey: 'sk',
+          sessionToken: '',
+          region: 'us-east-1',
+          service: 's3',
+        },
+      }),
+    ).toEqual(
+      [`curl 'https://yaak.app'`, '--aws-sigv4 aws:amz:us-east-1:s3', `--user 'ak:sk'`].join(
+        ' \\\n  ',
+      ),
+    );
+  });
+
+  test('AWS v4 auth with session', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'auth-aws-sig-v4',
+        authentication: {
+          accessKeyId: 'ak',
+          secretAccessKey: 'sk',
+          sessionToken: 'st',
+          region: 'us-east-1',
+          service: 's3',
+        },
+      }),
+    ).toEqual(
+      [
+        `curl 'https://yaak.app'`,
+        '--aws-sigv4 aws:amz:us-east-1:s3',
+        `--user 'ak:sk'`,
+        `--header 'X-Amz-Security-Token: st'`,
+      ].join(' \\\n  '),
+    );
+  });
+
+  test('API key auth header', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'header',
+          key: 'X-Header',
+          value: 'my-token',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'X-Header: my-token'`].join(' \\\n  '));
+  });
+
+  test('API key auth header query', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?hi=there',
+        urlParameters: [{ name: 'param', value: 'hi' }],
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?hi=there&param=hi&foo=bar'`].join(' \\\n  '));
+  });
+
+  test('API key auth header query with params', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        urlParameters: [{ name: 'param', value: 'hi' }],
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?param=hi&foo=bar'`].join(' \\\n  '));
+  });
+
+  test('API key auth header default', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'header',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'X-Api-Key: '`].join(' \\\n  '));
+  });
+
+  test('API key auth query', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar-baz',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar-baz'`].join(' \\\n  '));
+  });
+
+  test('API key auth query with existing', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?foo=bar&baz=qux',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'hi',
+          value: 'there',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar&baz=qux&hi=there'`].join(' \\\n  '));
+  });
+
+  test('API key auth query default', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?foo=bar&baz=qux',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar&baz=qux&token='`].join(' \\\n  '));
+  });
+
+  test('Stale body data', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        bodyType: 'none',
+        body: {
+          text: 'ignore me',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`].join(' \\\n  '));
+  });
+});
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,76 @@
+# Copy as gRPCurl
+
+An HTTP request action plugin that converts gRPC requests
+into [gRPCurl](https://github.com/fullstorydev/grpcurl) commands, enabling easy sharing,
+debugging, and execution of gRPC calls outside Yaak.
+
+![Screenshot of context menu](screenshot.png)
+
+## Overview
+
+This plugin adds a "Copy as gRPCurl" action to gRPC requests, converting any gRPC request
+into its equivalent executable command. This is useful for debugging gRPC services,
+sharing requests with team members, or executing gRPC calls in terminal environments where
+`grpcurl` is available.
+
+## How It Works
+
+The plugin analyzes your gRPC request configuration and generates a properly formatted
+`grpcurl` command that includes:
+
+- gRPC service and method names
+- Server address and port
+- Request message data (JSON format)
+- Metadata (headers)
+- Authentication credentials
+- Protocol buffer definitions
+
+## Usage
+
+1. Configure a gRPC request as usual in Yaak
+2. Right-click on the request sidebar item
+3. Select "Copy as gRPCurl" from the available actions
+4. The command is copied to your clipboard
+5. Share or execute the command
+
+## Generated gRPCurl Examples
+
+### Simple Unary Call
+
+
+```bash
+grpcurl -plaintext \
+  -d '{"name": "John Doe"}' \
+  localhost:9090 \
+  user.UserService/GetUser
+```
+
+### Call with Metadata
+
+```bash
+grpcurl -plaintext \
+  -H "authorization: Bearer my-token" \
+  -H "x-api-version: v1" \
+  -d '{"user_id": "12345"}' \
+  api.example.com:443 \
+  user.UserService/GetUserProfile
+```
+
+### Call with TLS
+
+```bash
+grpcurl \
+  -d '{"query": "search term"}' \
+  secure-api.example.com:443 \
+  search.SearchService/Search
+```
+
+### Call with Proto Files
+
+```bash
+grpcurl -import-path /path/to/protos \
+  -proto /other/path/to/user.proto \
+  -d '{"email": "user@example.com"}' \
+  localhost:9090 \
+  user.UserService/CreateUser
+```
@@ -0,0 +1,17 @@
+{
+  "name": "@yaak/action-copy-grpcurl",
+  "displayName": "Copy as gRPCurl",
+  "description": "Copy gRPC request as a grpcurl command",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/action-copy-grpcurl"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
+  }
+}
@@ -0,0 +1,155 @@
+import path from 'node:path';
+import type { GrpcRequest, PluginDefinition } from '@yaakapp/api';
+
+const NEWLINE = '\\\n ';
+
+export const plugin: PluginDefinition = {
+  grpcRequestActions: [
+    {
+      label: 'Copy as gRPCurl',
+      icon: 'copy',
+      async onSelect(ctx, args) {
+        const rendered_request = await ctx.grpcRequest.render({
+          grpcRequest: args.grpcRequest,
+          purpose: 'preview',
+        });
+        const data = await convert(rendered_request, args.protoFiles);
+        await ctx.clipboard.copyText(data);
+        await ctx.toast.show({
+          message: 'Command copied to clipboard',
+          icon: 'copy',
+          color: 'success',
+        });
+      },
+    },
+  ],
+};
+
+export async function convert(request: Partial<GrpcRequest>, allProtoFiles: string[]) {
+  const xs = ['grpcurl'];
+
+  if (request.url?.startsWith('http://')) {
+    xs.push('-plaintext');
+  }
+
+  const protoIncludes = allProtoFiles.filter((f) => !f.endsWith('.proto'));
+  const protoFiles = allProtoFiles.filter((f) => f.endsWith('.proto'));
+
+  const inferredIncludes = new Set<string>();
+  for (const f of protoFiles) {
+    const protoDir = findParentProtoDir(f);
+    if (protoDir) {
+      inferredIncludes.add(protoDir);
+    } else {
+      inferredIncludes.add(path.posix.join(f, '..'));
+      inferredIncludes.add(path.posix.join(f, '..', '..'));
+    }
+  }
+
+  for (const f of protoIncludes) {
+    xs.push('-import-path', quote(f));
+    xs.push(NEWLINE);
+  }
+
+  for (const f of inferredIncludes.values()) {
+    xs.push('-import-path', quote(f));
+    xs.push(NEWLINE);
+  }
+
+  for (const f of protoFiles) {
+    xs.push('-proto', quote(f));
+    xs.push(NEWLINE);
+  }
+
+  // Add headers
+  for (const h of (request.metadata ?? []).filter(onlyEnabled)) {
+    xs.push('-H', quote(`${h.name}: ${h.value}`));
+    xs.push(NEWLINE);
+  }
+
+  // Add basic authentication
+  if (request.authentication?.disabled !== true) {
+    if (request.authenticationType === 'basic') {
+      const user = request.authentication?.username ?? '';
+      const pass = request.authentication?.password ?? '';
+      const encoded = btoa(`${user}:${pass}`);
+      xs.push('-H', quote(`Authorization: Basic ${encoded}`));
+      xs.push(NEWLINE);
+    } else if (request.authenticationType === 'bearer') {
+      // Add bearer authentication
+      xs.push('-H', quote(`Authorization: Bearer ${request.authentication?.token ?? ''}`));
+      xs.push(NEWLINE);
+    } else if (request.authenticationType === 'apikey') {
+      if (request.authentication?.location === 'query') {
+        const sep = request.url?.includes('?') ? '&' : '?';
+        request.url = [
+          request.url,
+          sep,
+          encodeURIComponent(request.authentication?.key ?? 'token'),
+          '=',
+          encodeURIComponent(request.authentication?.value ?? ''),
+        ].join('');
+      } else {
+        xs.push(
+          '-H',
+          quote(
+            `${request.authentication?.key ?? 'X-Api-Key'}: ${request.authentication?.value ?? ''}`,
+          ),
+        );
+      }
+      xs.push(NEWLINE);
+    }
+  }
+
+  // Add form params
+  if (request.message) {
+    xs.push('-d', `${quote(JSON.stringify(JSON.parse(request.message)))}`);
+    xs.push(NEWLINE);
+  }
+
+  // Add the server address
+  if (request.url) {
+    const server = request.url.replace(/^https?:\/\//, ''); // remove protocol
+    xs.push(server);
+    xs.push(NEWLINE);
+  }
+
+  // Add service + method
+  if (request.service && request.method) {
+    xs.push(`${request.service}/${request.method}`);
+    xs.push(NEWLINE);
+  }
+
+  // Remove trailing newline
+  if (xs[xs.length - 1] === NEWLINE) {
+    xs.splice(xs.length - 1, 1);
+  }
+
+  return xs.join(' ');
+}
+
+function quote(arg: string): string {
+  const escaped = arg.replace(/'/g, "\\'");
+  return `'${escaped}'`;
+}
+
+function onlyEnabled(v: { name?: string; enabled?: boolean }): boolean {
+  return v.enabled !== false && !!v.name;
+}
+
+function findParentProtoDir(startPath: string): string | null {
+  let dir = path.resolve(startPath);
+
+  while (true) {
+    if (path.basename(dir) === 'proto') {
+      return dir;
+    }
+
+    const parent = path.dirname(dir);
+    if (parent === dir) {
+      return null; // Reached root
+    }
+
+    dir = parent;
+  }
+}
@@ -0,0 +1,159 @@
+import { describe, expect, test } from 'vitest';
+import { convert } from '../src';
+
+describe('exporter-curl', () => {
+  test('Simple example', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+        },
+        [],
+      ),
+    ).toEqual(['grpcurl yaak.app'].join(' \\\n  '));
+  });
+  test('Basic metadata', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          metadata: [
+            { name: 'aaa', value: 'AAA' },
+            { enabled: true, name: 'bbb', value: 'BBB' },
+            { enabled: false, name: 'disabled', value: 'ddd' },
+          ],
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl -H 'aaa: AAA'`, `-H 'bbb: BBB'`, 'yaak.app'].join(' \\\n  '));
+  });
+  test('Basic auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'basic',
+          authentication: {
+            username: 'user',
+            password: 'pass',
+          },
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl -H 'Authorization: Basic dXNlcjpwYXNz'`, 'yaak.app'].join(' \\\n  '));
+  });
+
+  test('API key auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'apikey',
+          authentication: {
+            key: 'X-Token',
+            value: 'tok',
+          },
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl -H 'X-Token: tok'`, 'yaak.app'].join(' \\\n  '));
+  });
+
+  test('API key auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'apikey',
+          authentication: {
+            location: 'query',
+            key: 'token',
+            value: 'tok 1',
+          },
+        },
+        [],
+      ),
+    ).toEqual(['grpcurl', 'yaak.app?token=tok%201'].join(' \\\n  '));
+  });
+
+  test('Single proto file', async () => {
+    expect(await convert({ url: 'https://yaak.app' }, ['/foo/bar/baz.proto'])).toEqual(
+      [
+        `grpcurl -import-path '/foo/bar'`,
+        `-import-path '/foo'`,
+        `-proto '/foo/bar/baz.proto'`,
+        'yaak.app',
+      ].join(' \\\n  '),
+    );
+  });
+  test('Multiple proto files, same dir', async () => {
+    expect(
+      await convert({ url: 'https://yaak.app' }, ['/foo/bar/aaa.proto', '/foo/bar/bbb.proto']),
+    ).toEqual(
+      [
+        `grpcurl -import-path '/foo/bar'`,
+        `-import-path '/foo'`,
+        `-proto '/foo/bar/aaa.proto'`,
+        `-proto '/foo/bar/bbb.proto'`,
+        'yaak.app',
+      ].join(' \\\n  '),
+    );
+  });
+  test('Multiple proto files, different dir', async () => {
+    expect(
+      await convert({ url: 'https://yaak.app' }, ['/aaa/bbb/ccc.proto', '/xxx/yyy/zzz.proto']),
+    ).toEqual(
+      [
+        `grpcurl -import-path '/aaa/bbb'`,
+        `-import-path '/aaa'`,
+        `-import-path '/xxx/yyy'`,
+        `-import-path '/xxx'`,
+        `-proto '/aaa/bbb/ccc.proto'`,
+        `-proto '/xxx/yyy/zzz.proto'`,
+        'yaak.app',
+      ].join(' \\\n  '),
+    );
+  });
+  test('Single include dir', async () => {
+    expect(await convert({ url: 'https://yaak.app' }, ['/aaa/bbb'])).toEqual(
+      [`grpcurl -import-path '/aaa/bbb'`, 'yaak.app'].join(' \\\n  '),
+    );
+  });
+  test('Multiple include dir', async () => {
+    expect(await convert({ url: 'https://yaak.app' }, ['/aaa/bbb', '/xxx/yyy'])).toEqual(
+      [`grpcurl -import-path '/aaa/bbb'`, `-import-path '/xxx/yyy'`, 'yaak.app'].join(' \\\n  '),
+    );
+  });
+  test('Mixed proto and dirs', async () => {
+    expect(
+      await convert({ url: 'https://yaak.app' }, ['/aaa/bbb', '/xxx/yyy', '/foo/bar.proto']),
+    ).toEqual(
+      [
+        `grpcurl -import-path '/aaa/bbb'`,
+        `-import-path '/xxx/yyy'`,
+        `-import-path '/foo'`,
+        `-import-path '/'`,
+        `-proto '/foo/bar.proto'`,
+        'yaak.app',
+      ].join(' \\\n  '),
+    );
+  });
+  test('Sends data', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          message: JSON.stringify({ foo: 'bar', baz: 1.0 }, null, 2),
+        },
+        ['/foo.proto'],
+      ),
+    ).toEqual(
+      [
+        `grpcurl -import-path '/'`,
+        `-proto '/foo.proto'`,
+        `-d '{"foo":"bar","baz":1}'`,
+        'yaak.app',
+      ].join(' \\\n  '),
+    );
+  });
+});
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,16 @@
+{
+  "name": "@yaak/auth-apikey",
+  "displayName": "API Key Authentication",
+  "description": "Authenticate requests using an API key",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-apikey"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
+  }
+}
@@ -0,0 +1,54 @@
+import type { PluginDefinition } from '@yaakapp/api';
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'apikey',
+    label: 'API Key',
+    shortLabel: 'API Key',
+    args: [
+      {
+        type: 'select',
+        name: 'location',
+        label: 'Behavior',
+        defaultValue: 'header',
+        options: [
+          { label: 'Insert Header', value: 'header' },
+          { label: 'Append Query Parameter', value: 'query' },
+        ],
+      },
+      {
+        type: 'text',
+        name: 'key',
+        label: 'Key',
+        dynamic: (_ctx, { values }) => {
+          return values.location === 'query'
+            ? {
+                label: 'Parameter Name',
+                description: 'The name of the query parameter to add to the request',
+              }
+            : {
+                label: 'Header Name',
+                description: 'The name of the header to add to the request',
+              };
+        },
+      },
+      {
+        type: 'text',
+        name: 'value',
+        label: 'API Key',
+        optional: true,
+        password: true,
+      },
+    ],
+    async onApply(_ctx, { values }) {
+      const key = String(values.key ?? '');
+      const value = String(values.value ?? '');
+      const location = String(values.location);
+
+      if (location === 'query') {
+        return { setQueryParameters: [{ name: key, value }] };
+      }
+      return { setHeaders: [{ name: key, value }] };
+    },
+  },
+};
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,49 @@
+# AWS Signature Version 4 Auth
+
+A plugin for authenticating AWS-compatible requests using the
+[AWS Signature Version 4 signing process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).  
+This enables secure, signed requests to AWS services (or any S3-compatible APIs like
+Cloudflare R2).
+
+![Screenshot of AWS SigV4 UI](screenshot.png)
+
+## Overview
+
+This plugin provides AWS Signature authentication for API requests in Yaak. SigV4 is used
+by nearly all AWS APIs to verify the authenticity and integrity of requests using
+cryptographic signatures.
+
+With this plugin, you can securely sign requests to AWS services such as S3, STS, Lambda,
+API Gateway, DynamoDB, and more. You can also authenticate against S3-compatible services
+like **Cloudflare R2**, **MinIO**, or **Wasabi**.
+
+## How AWS Signature Version 4 Works
+
+SigV4 signs requests by creating a hash of key request components (method, URL, headers,
+and optionally the payload) using your AWS credentials. The resulting HMAC signature is
+added in the `Authorization` header along with credential scope metadata.
+
+Example header:
+
+```
+Authorization: AWS4-HMAC-SHA256 Credential=AKIA…/20251011/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-date, Signature=abcdef123456…
+```
+
+Each request must include a timestamp (`X-Amz-Date`) and may include a session token if
+using temporary credentials.
+
+## Configuration
+
+The plugin presents the following fields:
+
+- **Access Key ID** – Your AWS access key identifier
+- **Secret Access Key** – The secret associated with the access key
+- **Session Token** *(optional)* – Used for temporary or assumed-role credentials (treated as secret)
+- **Region** – AWS region (e.g., `us-east-1`)
+- **Service** – AWS service identifier (e.g., `sts`, `s3`, `execute-api`)
+
+## Usage
+
+1. Configure a request, folder, or workspace to use **AWS SigV4 Authentication**
+2. Enter your AWS credentials and target service/region
+3. The plugin will automatically sign outgoing requests with valid SigV4 headers
@@ -0,0 +1,22 @@
+{
+  "name": "@yaak/auth-aws",
+  "displayName": "AWS SigV4",
+  "description": "Authenticate requests using AWS SigV4 signing",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-aws"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
+  },
+  "dependencies": {
+    "aws4": "^1.13.2"
+  },
+  "devDependencies": {
+    "@types/aws4": "^1.11.6"
+  }
+}
@@ -0,0 +1,88 @@
+import { URL } from 'node:url';
+import type { PluginDefinition } from '@yaakapp/api';
+import type { CallHttpAuthenticationResponse } from '@yaakapp-internal/plugins';
+import type { Request } from 'aws4';
+import aws4 from 'aws4';
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'awsv4',
+    label: 'AWS Signature',
+    shortLabel: 'AWS v4',
+    args: [
+      { name: 'accessKeyId', label: 'Access Key ID', type: 'text', password: true },
+      {
+        name: 'secretAccessKey',
+        label: 'Secret Access Key',
+        type: 'text',
+        password: true,
+      },
+      {
+        name: 'service',
+        label: 'Service Name',
+        type: 'text',
+        defaultValue: 'sts',
+        placeholder: 'sts',
+        description: 'The service that is receiving the request (sts, s3, sqs, ...)',
+      },
+      {
+        name: 'region',
+        label: 'Region',
+        type: 'text',
+        placeholder: 'us-east-1',
+        description: 'The region that is receiving the request (defaults to us-east-1)',
+        optional: true,
+      },
+      {
+        name: 'sessionToken',
+        label: 'Session Token',
+        type: 'text',
+        password: true,
+        optional: true,
+        description: 'Only required if you are using temporary credentials',
+      },
+    ],
+    onApply(_ctx, { values, ...args }): CallHttpAuthenticationResponse {
+      const accessKeyId = String(values.accessKeyId || '');
+      const secretAccessKey = String(values.secretAccessKey || '');
+      const sessionToken = String(values.sessionToken || '') || undefined;
+
+      const url = new URL(args.url);
+
+      const headers: NonNullable<Request['headers']> = {};
+      for (const headerName of ['content-type', 'host', 'x-amz-date', 'x-amz-security-token']) {
+        const v = args.headers.find((h) => h.name.toLowerCase() === headerName);
+        if (v != null) {
+          headers[headerName] = v.value;
+        }
+      }
+
+      const signature = aws4.sign(
+        {
+          host: url.host,
+          method: args.method,
+          path: url.pathname + (url.search || ''),
+          service: String(values.service || 'sts'),
+          region: values.region ? String(values.region) : undefined,
+          headers,
+          doNotEncodePath: true,
+        },
+        {
+          accessKeyId,
+          secretAccessKey,
+          sessionToken,
+        },
+      );
+
+      if (signature.headers == null) {
+        return {};
+      }
+
+      return {
+        setHeaders: Object.entries(signature.headers)
+          .filter(([name]) => name !== 'content-type') // Don't add this because we already have it
+          .map(([name, value]) => ({ name, value: String(value || '') })),
+      };
+    },
+  },
+};
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,44 @@
+# Basic Authentication 
+
+A simple Basic Authentication plugin that implements HTTP Basic Auth according
+to [RFC 7617](https://datatracker.ietf.org/doc/html/rfc7617), enabling secure
+authentication with username and password credentials.
+
+![Screenshot of basic auth UI](screenshot.png)
+
+## Overview
+
+This plugin provides HTTP Basic Authentication support for API requests in Yaak. Basic
+Auth is one of the most widely supported authentication methods, making it ideal for APIs
+that require simple username/password authentication without the complexity of OAuth
+flows.
+
+## How Basic Authentication Works
+
+Basic Authentication encodes your username and password credentials using Base64 encoding
+and sends them in the `Authorization` header with each request. The format is:
+
+```
+Authorization: Basic <base64-encoded-credentials>
+```
+
+Where `<base64-encoded-credentials>` is the Base64 encoding of `username:password`.
+
+## Configuration
+
+The plugin presents two fields:
+
+- **Username**: Username or user identifier
+- **Password**: Password or authentication token
+
+## Usage
+
+1. Configure the request, folder, or workspace to use Basic Authentication
+2. Enter your username and password in the authentication configuration
+3. The plugin will automatically add the proper `Authorization` header to your requests
+
+## Troubleshooting
+
+- **401 Unauthorized**: Verify your username and password are correct
+- **403 Forbidden**: Check if your account has the necessary permissions
+- **Connection Issues**: Ensure you're using HTTPS for secure transmission
@@ -1,9 +1,16 @@
 {
-  "name": "@yaakapp/auth-basic",
+  "name": "@yaak/auth-basic",
+  "displayName": "Basic Authentication",
+  "description": "Authenticate requests using Basic Auth",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-basic"
+  },
  "private": true,
-  "version": "0.0.1",
+  "version": "0.1.0",
  "scripts": {
-    "build": "yaakcli build ./src/index.ts",
-    "dev": "yaakcli dev ./src/index.js"
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
  }
 }
@@ -1,25 +1,28 @@
-import { PluginDefinition } from '@yaakapp/api';
+import type { PluginDefinition } from '@yaakapp/api';

 export const plugin: PluginDefinition = {
  authentication: {
    name: 'basic',
    label: 'Basic Auth',
    shortLabel: 'Basic',
-    args: [{
-      type: 'text',
-      name: 'username',
-      label: 'Username',
-      optional: true,
-    }, {
-      type: 'text',
-      name: 'password',
-      label: 'Password',
-      optional: true,
-      password: true,
-    }],
+    args: [
+      {
+        type: 'text',
+        name: 'username',
+        label: 'Username',
+        optional: true,
+      },
+      {
+        type: 'text',
+        name: 'password',
+        label: 'Password',
+        optional: true,
+        password: true,
+      },
+    ],
    async onApply(_ctx, { values }) {
      const { username, password } = values;
-      const value = 'Basic ' + Buffer.from(`${username}:${password}`).toString('base64');
+      const value = `Basic ${Buffer.from(`${username}:${password}`).toString('base64')}`;
      return { setHeaders: [{ name: 'Authorization', value }] };
    },
  },
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,47 @@
+# Bearer Token Authentication Plugin
+
+A Bearer Token authentication plugin for Yaak that
+implements [RFC 6750](https://datatracker.ietf.org/doc/html/rfc6750), enabling secure API
+access using tokens, API keys, and other bearer credentials.
+
+![Screenshot of bearer auth UI](screenshot.png)
+
+## Overview
+
+This plugin provides Bearer Token authentication support for your API requests in Yaak.
+Bearer Token authentication is widely used in modern APIs, especially those following REST
+principles and OAuth 2.0 standards. It's the preferred method for APIs that issue access
+tokens, API keys, or other bearer credentials.
+
+## How Bearer Token Authentication Works
+
+Bearer Token authentication sends your token in the `Authorization` header with each
+request using the Bearer scheme:
+
+```
+Authorization: Bearer <your-token>
+```
+
+The token is transmitted as-is without any additional encoding, making it simple and
+efficient for API authentication.
+
+## Configuration
+
+The plugin requires only one field:
+
+- **Token**: Your bearer token, access token, API key, or other credential
+- **Prefix**: The prefix to use for the Authorization header, which will be of the
+  format "<PREFIX> <TOKEN>"
+
+## Usage
+
+1. Configure the request, folder, or workspace to use Bearer Authentication
+2. Enter the token and optional prefix in the authentication configuration
+3. The plugin will automatically add the proper `Authorization` header to your requests
+
+## Troubleshooting
+
+- **401 Unauthorized**: Verify your token is valid and not expired
+- **403 Forbidden**: Check if your token has the necessary permissions/scopes
+- **Invalid Token Format**: Ensure you're using the complete token without truncation
+- **Token Expiration**: Refresh or regenerate expired tokens
@@ -1,9 +1,17 @@
 {
-  "name": "@yaakapp/auth-bearer",
+  "name": "@yaak/auth-bearer",
+  "displayName": "Bearer Authentication",
+  "description": "Authenticate requests using bearer authentication",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-bearer"
+  },
  "private": true,
-  "version": "0.0.1",
+  "version": "0.1.0",
  "scripts": {
-    "build": "yaakcli build ./src/index.ts",
-    "dev": "yaakcli dev ./src/index.js"
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
  }
 }
@@ -1,21 +1,39 @@
-import { PluginDefinition } from '@yaakapp/api';
+import type { PluginDefinition } from '@yaakapp/api';
+import type { CallHttpAuthenticationRequest } from '@yaakapp-internal/plugins';

 export const plugin: PluginDefinition = {
  authentication: {
    name: 'bearer',
    label: 'Bearer Token',
    shortLabel: 'Bearer',
-    args: [{
-      type: 'text',
-      name: 'token',
-      label: 'Token',
-      optional: true,
-      password: true,
-    }],
+    args: [
+      {
+        type: 'text',
+        name: 'token',
+        label: 'Token',
+        optional: true,
+        password: true,
+      },
+      {
+        type: 'text',
+        name: 'prefix',
+        label: 'Prefix',
+        optional: true,
+        placeholder: '',
+        defaultValue: 'Bearer',
+        description:
+          'The prefix to use for the Authorization header, which will be of the format "<PREFIX> <TOKEN>".',
+      },
+    ],
    async onApply(_ctx, { values }) {
-      const { token } = values;
-      const value = `Bearer ${token}`.trim();
-      return { setHeaders: [{ name: 'Authorization', value }] };
+      return { setHeaders: [generateAuthorizationHeader(values)] };
    },
  },
 };
+
+function generateAuthorizationHeader(values: CallHttpAuthenticationRequest['values']) {
+  const token = String(values.token || '').trim();
+  const prefix = String(values.prefix || '').trim();
+  const value = `${prefix} ${token}`.trim();
+  return { name: 'Authorization', value };
+}
@@ -0,0 +1,67 @@
+import type { Context } from '@yaakapp/api';
+import { describe, expect, test } from 'vitest';
+import { plugin } from '../src';
+
+const ctx = {} as Context;
+
+describe('auth-bearer', () => {
+  test('No values', async () => {
+    expect(
+      await plugin.authentication?.onApply(ctx, {
+        values: {},
+        headers: [],
+        url: 'https://yaak.app',
+        method: 'POST',
+        contextId: '111',
+      }),
+    ).toEqual({ setHeaders: [{ name: 'Authorization', value: '' }] });
+  });
+
+  test('Only token', async () => {
+    expect(
+      await plugin.authentication?.onApply(ctx, {
+        values: { token: 'my-token' },
+        headers: [],
+        url: 'https://yaak.app',
+        method: 'POST',
+        contextId: '111',
+      }),
+    ).toEqual({ setHeaders: [{ name: 'Authorization', value: 'my-token' }] });
+  });
+
+  test('Only prefix', async () => {
+    expect(
+      await plugin.authentication?.onApply(ctx, {
+        values: { prefix: 'Hello' },
+        headers: [],
+        url: 'https://yaak.app',
+        method: 'POST',
+        contextId: '111',
+      }),
+    ).toEqual({ setHeaders: [{ name: 'Authorization', value: 'Hello' }] });
+  });
+
+  test('Prefix and token', async () => {
+    expect(
+      await plugin.authentication?.onApply(ctx, {
+        values: { prefix: 'Hello', token: 'my-token' },
+        headers: [],
+        url: 'https://yaak.app',
+        method: 'POST',
+        contextId: '111',
+      }),
+    ).toEqual({ setHeaders: [{ name: 'Authorization', value: 'Hello my-token' }] });
+  });
+
+  test('Extra spaces', async () => {
+    expect(
+      await plugin.authentication?.onApply(ctx, {
+        values: { prefix: '\t Hello  ', token: ' \nmy-token  ' },
+        headers: [],
+        url: 'https://yaak.app',
+        method: 'POST',
+        contextId: '111',
+      }),
+    ).toEqual({ setHeaders: [{ name: 'Authorization', value: 'Hello my-token' }] });
+  });
+});
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,53 @@
+# JSON Web Token (JWT) Authentication
+
+A [JSON Web Token](https://datatracker.ietf.org/doc/html/rfc7519) (JWT) authentication
+plugin that supports token generation, signing, and automatic header management.
+
+![Screenshot of JWT auth UI](screenshot.png)
+
+## Overview
+
+This plugin provides JWT authentication support for API requests. JWT is a compact,
+URL-safe means of representing claims between two parties, commonly used for
+authentication and information exchange in modern web applications and APIs.
+
+## How JWT Authentication Works
+
+JWT authentication involves creating a signed token containing claims about the user or
+application. The token is sent in the `Authorization` header:
+
+```
+Authorization: Bearer <jwt-token>
+```
+
+A JWT consists of three parts separated by dots:
+
+- **Header**: Contains the token type and signing algorithm
+- **Payload**: Contains the claims (user data, permissions, expiration, etc.)
+- **Signature**: Ensures the token hasn't been tampered with
+
+## Usage
+
+1. Configure the request, folder, or workspace to use JWT Authentication
+2. Set up your signing algorithm and secret/key
+3. Configure the required claims for your JWT
+4. The plugin will generate, sign, and include the JWT in your requests
+
+## Common Use Cases
+
+JWT authentication is commonly used for:
+
+- **Microservices Authentication**: Service-to-service communication
+- **API Gateway Integration**: Authenticating with API gateways
+- **Single Sign-On (SSO)**: Sharing authentication across applications
+- **Stateless Authentication**: No server-side session storage required
+- **Mobile App APIs**: Secure authentication for mobile applications
+- **Third-party Integrations**: Authenticating with external services
+
+## Troubleshooting
+
+- **Invalid Signature**: Check your secret/key and algorithm configuration
+- **Token Expired**: Verify expiration time settings
+- **Invalid Claims**: Ensure required claims are properly configured
+- **Algorithm Mismatch**: Verify the algorithm matches what the API expects
+- **Key Format Issues**: Ensure RSA keys are in the correct PEM format
@@ -1,10 +1,17 @@
 {
-  "name": "@yaakapp/auth-jwt",
+  "name": "@yaak/auth-jwt",
+  "displayName": "JSON Web Tokens",
+  "description": "Authenticate requests using JSON web tokens (JWT)",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-jwt"
+  },
  "private": true,
-  "version": "0.0.1",
+  "version": "0.1.0",
  "scripts": {
-    "build": "yaakcli build ./src/index.ts",
-    "dev": "yaakcli dev ./src/index.js"
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
  },
  "dependencies": {
    "jsonwebtoken": "^9.0.2"
@@ -1,4 +1,4 @@
-import { PluginDefinition } from '@yaakapp/api';
+import type { PluginDefinition } from '@yaakapp/api';
 import jwt from 'jsonwebtoken';

 const algorithms = [
@@ -20,49 +20,100 @@ const algorithms = [
 const defaultAlgorithm = algorithms[0];

 export const plugin: PluginDefinition = {
-    authentication: {
-      name: 'jwt',
-      label: 'JWT Bearer',
-      shortLabel: 'JWT',
-      args: [
-        {
-          type: 'select',
-          name: 'algorithm',
-          label: 'Algorithm',
-          hideLabel: true,
-          defaultValue: defaultAlgorithm,
-          options: algorithms.map(value => ({ label: value === 'none' ? 'None' : value, value })),
+  authentication: {
+    name: 'jwt',
+    label: 'JWT Bearer',
+    shortLabel: 'JWT',
+    args: [
+      {
+        type: 'select',
+        name: 'algorithm',
+        label: 'Algorithm',
+        hideLabel: true,
+        defaultValue: defaultAlgorithm,
+        options: algorithms.map((value) => ({ label: value === 'none' ? 'None' : value, value })),
+      },
+      {
+        type: 'text',
+        name: 'secret',
+        label: 'Secret or Private Key',
+        password: true,
+        optional: true,
+        multiLine: true,
+      },
+      {
+        type: 'checkbox',
+        name: 'secretBase64',
+        label: 'Secret is base64 encoded',
+      },
+      {
+        type: 'select',
+        name: 'location',
+        label: 'Behavior',
+        defaultValue: 'header',
+        options: [
+          { label: 'Insert Header', value: 'header' },
+          { label: 'Append Query Parameter', value: 'query' },
+        ],
+      },
+      {
+        type: 'text',
+        name: 'name',
+        label: 'Header Name',
+        defaultValue: 'Authorization',
+        optional: true,
+        dynamic(_ctx, args) {
+          if (args.values.location === 'query') {
+            return {
+              label: 'Parameter Name',
+              description: 'The name of the query parameter to add to the request',
+            };
+          }
+          return {
+            label: 'Header Name',
+            description: 'The name of the header to add to the request',
+          };
        },
-        {
-          type: 'text',
-          name: 'secret',
-          label: 'Secret or Private Key',
-          password: true,
-          optional: true,
-          multiLine: true,
+      },
+      {
+        type: 'text',
+        name: 'headerPrefix',
+        label: 'Header Prefix',
+        optional: true,
+        defaultValue: 'Bearer',
+        dynamic(_ctx, args) {
+          if (args.values.location === 'query') {
+            return {
+              hidden: true,
+            };
+          }
        },
-        {
-          type: 'checkbox',
-          name: 'secretBase64',
-          label: 'Secret is base64 encoded',
-        },
-        {
-          type: 'editor',
-          name: 'payload',
-          label: 'Payload',
-          language: 'json',
-          defaultValue: '{\n  "foo": "bar"\n}',
-          placeholder: '{ }',
-        },
-      ],
-      async onApply(_ctx, { values }) {
-        const { algorithm, secret: _secret, secretBase64, payload } = values;
-        const secret = secretBase64 ? Buffer.from(`${_secret}`, 'base64') : `${_secret}`;
-        const token = jwt.sign(`${payload}`, secret, { algorithm: algorithm as any });
-        const value = `Bearer ${token}`;
-        return { setHeaders: [{ name: 'Authorization', value }] };
+      },
+      {
+        type: 'editor',
+        name: 'payload',
+        label: 'Payload',
+        language: 'json',
+        defaultValue: '{\n  "foo": "bar"\n}',
+        placeholder: '{ }',
+      },
+    ],
+    async onApply(_ctx, { values }) {
+      const { algorithm, secret: _secret, secretBase64, payload } = values;
+      const secret = secretBase64 ? Buffer.from(`${_secret}`, 'base64') : `${_secret}`;
+      const token = jwt.sign(`${payload}`, secret, {
+        algorithm: algorithm as (typeof algorithms)[number],
+      });
+
+      if (values.location === 'query') {
+        const paramName = String(values.name || 'token');
+        const paramValue = String(values.value || '');
+        return { setQueryParameters: [{ name: paramName, value: paramValue }] };
      }
-      ,
+      const headerPrefix = values.headerPrefix != null ? values.headerPrefix : 'Bearer';
+      const headerName = String(values.name || 'Authorization');
+      const headerValue = `${headerPrefix} ${token}`.trim();
+      return { setHeaders: [{ name: headerName, value: headerValue }] };
    },
-  }
-;
+  },
+};
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,19 @@
+{
+  "name": "@yaak/auth-ntlm",
+  "displayName": "NTLM Authentication",
+  "description": "Authenticate requests using NTLM authentication",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-ntlm"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
+  },
+  "dependencies": {
+    "httpntlm": "^1.8.13"
+  }
+}
@@ -0,0 +1,87 @@
+import type { PluginDefinition } from '@yaakapp/api';
+
+import { ntlm } from 'httpntlm';
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'windows',
+    label: 'NTLM Auth',
+    shortLabel: 'NTLM',
+    args: [
+      {
+        type: 'banner',
+        color: 'info',
+        inputs: [
+          {
+            type: 'markdown',
+            content:
+              'NTLM is still in beta. Please submit any issues to [Feedback](https://yaak.app/feedback).',
+          },
+        ],
+      },
+      {
+        type: 'text',
+        name: 'username',
+        label: 'Username',
+        optional: true,
+      },
+      {
+        type: 'text',
+        name: 'password',
+        label: 'Password',
+        optional: true,
+        password: true,
+      },
+      {
+        type: 'accordion',
+        label: 'Advanced',
+        inputs: [
+          { name: 'domain', label: 'Domain', type: 'text', optional: true },
+          { name: 'workstation', label: 'Workstation', type: 'text', optional: true },
+        ],
+      },
+    ],
+    async onApply(ctx, { values, method, url }) {
+      const username = values.username ? String(values.username) : undefined;
+      const password = values.password ? String(values.password) : undefined;
+      const domain = values.domain ? String(values.domain) : undefined;
+      const workstation = values.workstation ? String(values.workstation) : undefined;
+
+      const options = {
+        url,
+        username,
+        password,
+        workstation,
+        domain,
+      };
+
+      const type1 = ntlm.createType1Message(options);
+
+      const negotiateResponse = await ctx.httpRequest.send({
+        httpRequest: {
+          method,
+          url,
+          headers: [
+            { name: 'Authorization', value: type1 },
+            { name: 'Connection', value: 'keep-alive' },
+          ],
+        },
+      });
+
+      const wwwAuthenticateHeader = negotiateResponse.headers.find(
+        (h) => h.name.toLowerCase() === 'www-authenticate',
+      );
+
+      if (!wwwAuthenticateHeader?.value) {
+        throw new Error('Unable to find www-authenticate response header for NTLM');
+      }
+
+      const type2 = ntlm.parseType2Message(wwwAuthenticateHeader.value, (err: Error | null) => {
+        if (err != null) throw err;
+      });
+      const type3 = ntlm.createType3Message(type2, options);
+
+      return { setHeaders: [{ name: 'Authorization', value: type3 }] };
+    },
+  },
+};
@@ -0,0 +1 @@
+declare module 'httpntlm';
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,19 @@
+{
+  "name": "@yaak/auth-oauth1",
+  "displayName": "OAuth 1.0",
+  "description": "Authenticate requests using OAuth 1.0a",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-oauth1"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev"
+  },
+  "dependencies": {
+    "oauth-1.0a": "^2.2.6"
+  }
+}
@@ -0,0 +1,210 @@
+import crypto from 'node:crypto';
+import type { Context, GetHttpAuthenticationConfigRequest, PluginDefinition } from '@yaakapp/api';
+import OAuth from 'oauth-1.0a';
+
+const signatures = {
+  HMAC_SHA1: 'HMAC-SHA1',
+  HMAC_SHA256: 'HMAC-SHA256',
+  HMAC_SHA512: 'HMAC-SHA512',
+  RSA_SHA1: 'RSA-SHA1',
+  RSA_SHA256: 'RSA-SHA256',
+  RSA_SHA512: 'RSA-SHA512',
+  PLAINTEXT: 'PLAINTEXT',
+} as const;
+const defaultSig = signatures.HMAC_SHA1;
+
+const pkSigs = Object.values(signatures).filter((k) => k.startsWith('RSA-'));
+const nonPkSigs = Object.values(signatures).filter((k) => !pkSigs.includes(k));
+
+type SigMethod = (typeof signatures)[keyof typeof signatures];
+
+function hiddenIfNot(
+  sigMethod: SigMethod[],
+  ...other: ((values: GetHttpAuthenticationConfigRequest['values']) => boolean)[]
+) {
+  return (_ctx: Context, { values }: GetHttpAuthenticationConfigRequest) => {
+    const hasGrantType = sigMethod.find((t) => t === String(values.signatureMethod ?? defaultSig));
+    const hasOtherBools = other.every((t) => t(values));
+    const show = hasGrantType && hasOtherBools;
+    return { hidden: !show };
+  };
+}
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'oauth1',
+    label: 'OAuth 1.0',
+    shortLabel: 'OAuth 1',
+    args: [
+      {
+        type: 'banner',
+        color: 'info',
+        inputs: [
+          {
+            type: 'markdown',
+            content:
+              'OAuth 1.0 is still in beta. Please submit any issues to [Feedback](https://yaak.app/feedback).',
+          },
+        ],
+      },
+      {
+        name: 'signatureMethod',
+        label: 'Signature Method',
+        type: 'select',
+        defaultValue: defaultSig,
+        options: Object.values(signatures).map((v) => ({ label: v, value: v })),
+      },
+      { name: 'consumerKey', label: 'Consumer Key', type: 'text', password: true, optional: true },
+      {
+        name: 'consumerSecret',
+        label: 'Consumer Secret',
+        type: 'text',
+        password: true,
+        optional: true,
+      },
+      {
+        name: 'tokenKey',
+        label: 'Access Token',
+        type: 'text',
+        password: true,
+        optional: true,
+      },
+      {
+        name: 'tokenSecret',
+        label: 'Token Secret',
+        type: 'text',
+        password: true,
+        optional: true,
+        dynamic: hiddenIfNot(nonPkSigs),
+      },
+      {
+        name: 'privateKey',
+        label: 'Private Key (RSA-SHA1)',
+        type: 'text',
+        multiLine: true,
+        optional: true,
+        password: true,
+        placeholder:
+          '-----BEGIN RSA PRIVATE KEY-----\nPrivate key in PEM format\n-----END RSA PRIVATE KEY-----',
+        dynamic: hiddenIfNot(pkSigs),
+      },
+      {
+        type: 'accordion',
+        label: 'Advanced',
+        inputs: [
+          { name: 'callback', label: 'Callback Url', type: 'text', optional: true },
+          { name: 'verifier', label: 'Verifier', type: 'text', optional: true, password: true },
+          { name: 'timestamp', label: 'Timestamp', type: 'text', optional: true },
+          { name: 'nonce', label: 'Nonce', type: 'text', optional: true },
+          {
+            name: 'version',
+            label: 'OAuth Version',
+            type: 'text',
+            optional: true,
+            defaultValue: '1.0',
+          },
+          { name: 'realm', label: 'Realm', type: 'text', optional: true },
+        ],
+      },
+    ],
+
+    onApply(
+      _ctx,
+      { values, method, url },
+    ): {
+      setHeaders?: { name: string; value: string }[];
+      setQueryParameters?: { name: string; value: string }[];
+    } {
+      const consumerKey = String(values.consumerKey || '');
+      const consumerSecret = String(values.consumerSecret || '');
+
+      const signatureMethod = String(values.signatureMethod || signatures.HMAC_SHA1) as SigMethod;
+      const version = String(values.version || '1.0');
+      const realm = String(values.realm || '') || undefined;
+
+      const oauth = new OAuth({
+        consumer: { key: consumerKey, secret: consumerSecret },
+        signature_method: signatureMethod,
+        version,
+        hash_function: hashFunction(signatureMethod),
+        realm,
+      });
+
+      if (pkSigs.includes(signatureMethod)) {
+        oauth.getSigningKey = (tokenSecret?: string) => tokenSecret || '';
+      }
+
+      const requestUrl = new URL(url);
+
+      // Base request options passed to oauth-1.0a
+      const requestData: Omit<OAuth.RequestOptions, 'data'> & {
+        data: Record<string, string | string[]>;
+      } = {
+        method,
+        url: requestUrl.toString(),
+        includeBodyHash: false,
+        data: {},
+      };
+
+      // (1) Include existing query params in signature base string
+      for (const key of requestUrl.searchParams.keys()) {
+        if (key.startsWith('oauth_')) continue;
+        const all = requestUrl.searchParams.getAll(key);
+        const first = all[0];
+        if (first == null) continue;
+        requestData.data[key] = all.length > 1 ? all : first;
+      }
+
+      // (2) Manual oauth_* overrides
+      if (values.callback) requestData.data.oauth_callback = String(values.callback);
+      if (values.nonce) requestData.data.oauth_nonce = String(values.nonce);
+      if (values.timestamp) requestData.data.oauth_timestamp = String(values.timestamp);
+      if (values.verifier) requestData.data.oauth_verifier = String(values.verifier);
+
+      let token: OAuth.Token | { key: string } | undefined;
+
+      if (pkSigs.includes(signatureMethod)) {
+        token = {
+          key: String(values.tokenKey || ''),
+          secret: String(values.privateKey || ''),
+        };
+      } else if (values.tokenKey && values.tokenSecret) {
+        token = { key: String(values.tokenKey), secret: String(values.tokenSecret) };
+      } else if (values.tokenKey) {
+        token = { key: String(values.tokenKey) };
+      }
+
+      const authParams = oauth.authorize(requestData, token as OAuth.Token | undefined);
+      const { Authorization } = oauth.toHeader(authParams);
+      return { setHeaders: [{ name: 'Authorization', value: Authorization }] };
+    },
+  },
+};
+
+function hashFunction(signatureMethod: SigMethod) {
+  switch (signatureMethod) {
+    case signatures.HMAC_SHA1:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha1', key).update(base).digest('base64');
+    case signatures.HMAC_SHA256:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha256', key).update(base).digest('base64');
+    case signatures.HMAC_SHA512:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha512', key).update(base).digest('base64');
+    case signatures.RSA_SHA1:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA1').update(base).sign(privateKey, 'base64');
+    case signatures.RSA_SHA256:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA256').update(base).sign(privateKey, 'base64');
+    case signatures.RSA_SHA512:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA512').update(base).sign(privateKey, 'base64');
+    case signatures.PLAINTEXT:
+      return (base: string) => base;
+    default:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha1', key).update(base).digest('base64');
+  }
+}
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
@@ -0,0 +1,72 @@
+# OAuth 2.0 Authentication
+
+An [OAuth 2.0](https://datatracker.ietf.org/doc/html/rfc6749) authentication plugin that
+supports multiple grant types and flows, enabling secure API authentication with OAuth 2.0
+providers.
+
+![Screenshot of OAuth 2.0 auth UI](screenshot.png)
+
+## Overview
+
+This plugin implements OAuth 2.0 authentication for requests, supporting the most common
+OAuth 2.0 grant types used in modern API integrations. It handles token management,
+automatic refresh, and [PKCE](https://datatracker.ietf.org/doc/html/rfc7636) (Proof Key
+for Code Exchange) for enhanced security.
+
+## Supported Grant Types
+
+### Authorization Code Flow
+
+The most secure and commonly used OAuth 2.0 flow for web applications.
+
+- Standard Authorization Code flow
+- Optional PKCE (Proof Key for Code Exchange) for enhanced security
+- Supports automatic token refresh
+
+### Client Credentials Flow
+
+Ideal for server-to-server authentication where no user interaction is required. 
+
+### Implicit Flow
+
+Legacy flow for single-page applications (deprecated but still supported):
+
+- Direct access token retrieval
+- No refresh token support
+- Suitable for legacy integrations
+
+### Resource Owner Password Credentials Flow
+
+Direct username/password authentication.
+
+- User credentials are exchanged directly for tokens
+- Should only be used with trusted applications
+- Supports automatic token refresh
+
+## Features
+
+- **Automatic Token Management**: Handles token storage, expiration, and refresh
+  automatically
+- **PKCE Support**: Enhanced security for Authorization Code flow
+- **Token Persistence**: Stores tokens between sessions
+- **Flexible Configuration**: Supports custom authorization and token endpoints
+- **Scope Management**: Configure required OAuth scopes for your API
+- **Error Handling**: Comprehensive error handling and user feedback
+
+## Usage
+
+1. Configure the request, folder, or workspace to use OAuth 2.0 Authentication
+2. Select the appropriate grant type for your use case
+3. Fill in the required OAuth 2.0 parameters from your API provider
+4. The plugin will handle the authentication flow and token management automatically
+
+## Compatibility
+
+This plugin is compatible with OAuth 2.0 providers including:
+
+- Google APIs
+- Microsoft Graph
+- GitHub API
+- Auth0
+- Okta
+- And many other OAuth 2.0 compliant services
@@ -1,9 +1,17 @@
 {
-  "name": "@yaakapp/auth-oauth2",
+  "name": "@yaak/auth-oauth2",
+  "displayName": "OAuth 2.0",
+  "description": "Authenticate requests using OAuth 2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-oauth2"
+  },
  "private": true,
-  "version": "0.0.1",
+  "version": "0.1.0",
  "scripts": {
-    "build": "yaakcli build ./src/index.ts",
-    "dev": "yaakcli dev ./src/index.js"
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "test": "vitest --run tests"
  }
 }
@@ -1,8 +1,8 @@
-import { Context, HttpRequest, HttpUrlParameter } from '@yaakapp/api';
 import { readFileSync } from 'node:fs';
-import { AccessTokenRawResponse } from './store';
+import type { Context, HttpRequest, HttpUrlParameter } from '@yaakapp/api';
+import type { AccessTokenRawResponse } from './store';

-export async function getAccessToken(
+export async function fetchAccessToken(
  ctx: Context,
  {
    accessTokenUrl,
@@ -39,15 +39,15 @@ export async function getAccessToken(
    ],
  };

-  if (scope) httpRequest.body!.form.push({ name: 'scope', value: scope });
-  if (audience) httpRequest.body!.form.push({ name: 'audience', value: audience });
+  if (scope) httpRequest.body?.form.push({ name: 'scope', value: scope });
+  if (audience) httpRequest.body?.form.push({ name: 'audience', value: audience });

  if (credentialsInBody) {
-    httpRequest.body!.form.push({ name: 'client_id', value: clientId });
-    httpRequest.body!.form.push({ name: 'client_secret', value: clientSecret });
+    httpRequest.body?.form.push({ name: 'client_id', value: clientId });
+    httpRequest.body?.form.push({ name: 'client_secret', value: clientSecret });
  } else {
-    const value = 'Basic ' + Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
-    httpRequest.headers!.push({ name: 'Authorization', value });
+    const value = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`;
+    httpRequest.headers?.push({ name: 'Authorization', value });
  }

  httpRequest.authenticationType = 'none'; // Don't inherit workspace auth
@@ -58,12 +58,11 @@ export async function getAccessToken(
  const body = resp.bodyPath ? readFileSync(resp.bodyPath, 'utf8') : '';

  if (resp.status < 200 || resp.status >= 300) {
-    throw new Error(
-      'Failed to fetch access token with status=' + resp.status + ' and body=' + body,
-    );
+    throw new Error(`Failed to fetch access token with status=${resp.status} and body=${body}`);
  }

-  let response;
+  // biome-ignore lint/suspicious/noExplicitAny: none
+  let response: any;
  try {
    response = JSON.parse(body);
  } catch {
@@ -71,7 +70,7 @@ export async function getAccessToken(
  }

  if (response.error) {
-    throw new Error('Failed to fetch access token with ' + response.error);
+    throw new Error(`Failed to fetch access token with ${response.error}`);
  }

  return response;
@@ -1,29 +1,34 @@
-import { Context, HttpRequest } from '@yaakapp/api';
 import { readFileSync } from 'node:fs';
-import { AccessToken, AccessTokenRawResponse, deleteToken, getToken, storeToken } from './store';
+import type { Context, HttpRequest } from '@yaakapp/api';
+import type { AccessToken, AccessTokenRawResponse, TokenStoreArgs } from './store';
+import { deleteToken, getToken, storeToken } from './store';
+import { isTokenExpired } from './util';

-export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
-  scope,
-  accessTokenUrl,
-  credentialsInBody,
-  clientId,
-  clientSecret,
-  forceRefresh,
-}: {
-  scope: string | null;
-  accessTokenUrl: string;
-  credentialsInBody: boolean;
-  clientId: string;
-  clientSecret: string;
-  forceRefresh?: boolean;
-}): Promise<AccessToken | null> {
-  const token = await getToken(ctx, contextId);
+export async function getOrRefreshAccessToken(
+  ctx: Context,
+  tokenArgs: TokenStoreArgs,
+  {
+    scope,
+    accessTokenUrl,
+    credentialsInBody,
+    clientId,
+    clientSecret,
+    forceRefresh,
+  }: {
+    scope: string | null;
+    accessTokenUrl: string;
+    credentialsInBody: boolean;
+    clientId: string;
+    clientSecret: string;
+    forceRefresh?: boolean;
+  },
+): Promise<AccessToken | null> {
+  const token = await getToken(ctx, tokenArgs);
  if (token == null) {
    return null;
  }

-  const now = Date.now();
-  const isExpired = token.expiresAt && now > token.expiresAt;
+  const isExpired = isTokenExpired(token);

  // Return the current access token if it's still valid
  if (!isExpired && !forceRefresh) {
@@ -53,24 +58,24 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
    ],
  };

-  if (scope) httpRequest.body!.form.push({ name: 'scope', value: scope });
+  if (scope) httpRequest.body?.form.push({ name: 'scope', value: scope });

  if (credentialsInBody) {
-    httpRequest.body!.form.push({ name: 'client_id', value: clientId });
-    httpRequest.body!.form.push({ name: 'client_secret', value: clientSecret });
+    httpRequest.body?.form.push({ name: 'client_id', value: clientId });
+    httpRequest.body?.form.push({ name: 'client_secret', value: clientSecret });
  } else {
-    const value = 'Basic ' + Buffer.from(`${clientId}:${clientSecret}`).toString('base64');
-    httpRequest.headers!.push({ name: 'Authorization', value });
+    const value = `Basic ${Buffer.from(`${clientId}:${clientSecret}`).toString('base64')}`;
+    httpRequest.headers?.push({ name: 'Authorization', value });
  }

  httpRequest.authenticationType = 'none'; // Don't inherit workspace auth
  const resp = await ctx.httpRequest.send({ httpRequest });

-  if (resp.status === 401) {
-    // Bad refresh token, so we'll force it to fetch a fresh access token by deleting
-    // and returning null;
-    console.log('[oauth2] Unauthorized refresh_token request');
-    await deleteToken(ctx, contextId);
+  if (resp.status >= 400 && resp.status < 500) {
+    // Client errors (4xx) indicate the refresh token is invalid, expired, or revoked
+    // Delete the token and return null to trigger a fresh authorization flow
+    console.log('[oauth2] Refresh token request failed with client error, deleting token');
+    await deleteToken(ctx, tokenArgs);
    return null;
  }

@@ -79,10 +84,11 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
  console.log('[oauth2] Got refresh token response', resp.status);

  if (resp.status < 200 || resp.status >= 300) {
-    throw new Error('Failed to refresh access token with status=' + resp.status + ' and body=' + body);
+    throw new Error(`Failed to refresh access token with status=${resp.status} and body=${body}`);
  }

-  let response;
+  // biome-ignore lint/suspicious/noExplicitAny: none
+  let response: any;
  try {
    response = JSON.parse(body);
  } catch {
@@ -90,7 +96,9 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
  }

  if (response.error) {
-    throw new Error(`Failed to fetch access token with ${response.error} -> ${response.error_description}`);
+    throw new Error(
+      `Failed to fetch access token with ${response.error} -> ${response.error_description}`,
+    );
  }

  const newResponse: AccessTokenRawResponse = {
@@ -99,5 +107,5 @@ export async function getOrRefreshAccessToken(ctx: Context, contextId: string, {
    refresh_token: response.refresh_token ?? token.response.refresh_token,
  };

-  return storeToken(ctx, contextId, newResponse);
+  return storeToken(ctx, tokenArgs, newResponse);
 }
@@ -1,8 +1,10 @@
-import { Context } from '@yaakapp/api';
 import { createHash, randomBytes } from 'node:crypto';
-import { getAccessToken } from '../getAccessToken';
+import type { Context } from '@yaakapp/api';
+import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import { AccessToken, getDataDirKey, storeToken } from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
+import { getDataDirKey, storeToken } from '../store';
+import { extractCode } from '../util';

 export const PKCE_SHA256 = 'S256';
 export const PKCE_PLAIN = 'plain';
@@ -34,13 +36,20 @@ export async function getAuthorizationCode(
    audience: string | null;
    credentialsInBody: boolean;
    pkce: {
-      challengeMethod: string | null;
-      codeVerifier: string | null;
+      challengeMethod: string;
+      codeVerifier: string;
    } | null;
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: authorizationUrlRaw,
+  };
+
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -51,7 +60,12 @@ export async function getAuthorizationCode(
    return token;
  }

-  const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  let authorizationUrl: URL;
+  try {
+    authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  } catch {
+    throw new Error(`Invalid authorization URL "${authorizationUrlRaw}"`);
+  }
  authorizationUrl.searchParams.set('response_type', 'code');
  authorizationUrl.searchParams.set('client_id', clientId);
  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
@@ -59,79 +73,75 @@ export async function getAuthorizationCode(
  if (state) authorizationUrl.searchParams.set('state', state);
  if (audience) authorizationUrl.searchParams.set('audience', audience);
  if (pkce) {
-    const verifier = pkce.codeVerifier || createPkceCodeVerifier();
-    const challengeMethod = pkce.challengeMethod || DEFAULT_PKCE_METHOD;
    authorizationUrl.searchParams.set(
      'code_challenge',
-      createPkceCodeChallenge(verifier, challengeMethod),
+      pkceCodeChallenge(pkce.codeVerifier, pkce.challengeMethod),
    );
-    authorizationUrl.searchParams.set('code_challenge_method', challengeMethod);
+    authorizationUrl.searchParams.set('code_challenge_method', pkce.challengeMethod);
  }

-  return new Promise(async (resolve, reject) => {
-    const authorizationUrlStr = authorizationUrl.toString();
-    const logsEnabled = (await ctx.store.get('enable_logs')) ?? false;
-    console.log('[oauth2] Authorizing', authorizationUrlStr);
+  const dataDirKey = await getDataDirKey(ctx, contextId);
+  const authorizationUrlStr = authorizationUrl.toString();
+  console.log('[oauth2] Authorizing', authorizationUrlStr);

+  // biome-ignore lint/suspicious/noAsyncPromiseExecutor: none
+  const code = await new Promise<string>(async (resolve, reject) => {
    let foundCode = false;
-
-    let { close } = await ctx.window.openUrl({
+    const { close } = await ctx.window.openUrl({
+      dataDirKey,
      url: authorizationUrlStr,
      label: 'oauth-authorization-url',
-      dataDirKey: await getDataDirKey(ctx, contextId),
      async onClose() {
        if (!foundCode) {
          reject(new Error('Authorization window closed'));
        }
      },
      async onNavigate({ url: urlStr }) {
-        const url = new URL(urlStr);
-        if (logsEnabled) console.log('[oauth2] Navigated to', urlStr);
-
-        if (url.searchParams.has('error')) {
-          return reject(new Error(`Failed to authorize: ${url.searchParams.get('error')}`));
+        let code: string | null;
+        try {
+          code = extractCode(urlStr, redirectUri);
+        } catch (err) {
+          reject(err);
+          close();
+          return;
        }

-        const code = url.searchParams.get('code');
        if (!code) {
-          console.log('[oauth2] Code not found');
-          return; // Could be one of many redirects in a chain, so skip it
+          return;
        }

        // Close the window here, because we don't need it anymore!
        foundCode = true;
        close();
-
-        console.log('[oauth2] Code found');
-        const response = await getAccessToken(ctx, {
-          grantType: 'authorization_code',
-          accessTokenUrl,
-          clientId,
-          clientSecret,
-          scope,
-          audience,
-          credentialsInBody,
-          params: [
-            { name: 'code', value: code },
-            ...(redirectUri ? [{ name: 'redirect_uri', value: redirectUri }] : []),
-          ],
-        });
-
-        try {
-          resolve(await storeToken(ctx, contextId, response, tokenName));
-        } catch (err) {
-          reject(err);
-        }
+        resolve(code);
      },
    });
  });
+
+  console.log('[oauth2] Code found');
+  const response = await fetchAccessToken(ctx, {
+    grantType: 'authorization_code',
+    accessTokenUrl,
+    clientId,
+    clientSecret,
+    scope,
+    audience,
+    credentialsInBody,
+    params: [
+      { name: 'code', value: code },
+      ...(pkce ? [{ name: 'code_verifier', value: pkce.codeVerifier }] : []),
+      ...(redirectUri ? [{ name: 'redirect_uri', value: redirectUri }] : []),
+    ],
+  });
+
+  return storeToken(ctx, tokenArgs, response, tokenName);
 }

-function createPkceCodeVerifier() {
+export function genPkceCodeVerifier() {
  return encodeForPkce(randomBytes(32));
 }

-function createPkceCodeChallenge(verifier: string, method: string) {
+function pkceCodeChallenge(verifier: string, method: string) {
  if (method === 'plain') {
    return verifier;
  }
@@ -1,6 +1,8 @@
-import { Context } from '@yaakapp/api';
-import { getAccessToken } from '../getAccessToken';
+import type { Context } from '@yaakapp/api';
+import { fetchAccessToken } from '../fetchAccessToken';
+import type { TokenStoreArgs } from '../store';
 import { getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

 export async function getClientCredentials(
  ctx: Context,
@@ -21,14 +23,18 @@ export async function getClientCredentials(
    credentialsInBody: boolean;
  },
 ) {
-  const token = await getToken(ctx, contextId);
-  if (token) {
-    // resolve(token.response.access_token);
-    // TODO: Refresh token if expired
-    // return;
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getToken(ctx, tokenArgs);
+  if (token && !isTokenExpired(token)) {
+    return token;
  }

-  const response = await getAccessToken(ctx, {
+  const response = await fetchAccessToken(ctx, {
    grantType: 'client_credentials',
    accessTokenUrl,
    audience,
@@ -39,5 +45,5 @@ export async function getClientCredentials(
    params: [],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }
@@ -1,7 +1,9 @@
-import { Context } from '@yaakapp/api';
-import { AccessToken, AccessTokenRawResponse, getToken, storeToken } from '../store';
+import type { Context } from '@yaakapp/api';
+import type { AccessToken, AccessTokenRawResponse } from '../store';
+import { getDataDirKey, getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

-export function getImplicit(
+export async function getImplicit(
  ctx: Context,
  contextId: string,
  {
@@ -24,31 +26,43 @@ export function getImplicit(
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  return new Promise(async (resolve, reject) => {
-    const token = await getToken(ctx, contextId);
-    if (token) {
-      // resolve(token.response.access_token);
-      // TODO: Refresh token if expired
-      // return;
-    }
+  const tokenArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl: null,
+    authorizationUrl: authorizationUrlRaw,
+  };
+  const token = await getToken(ctx, tokenArgs);
+  if (token != null && !isTokenExpired(token)) {
+    return token;
+  }

-    const authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
-    authorizationUrl.searchParams.set('response_type', 'token');
-    authorizationUrl.searchParams.set('client_id', clientId);
-    if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
-    if (scope) authorizationUrl.searchParams.set('scope', scope);
-    if (state) authorizationUrl.searchParams.set('state', state);
-    if (audience) authorizationUrl.searchParams.set('audience', audience);
-    if (responseType.includes('id_token')) {
-      authorizationUrl.searchParams.set(
-        'nonce',
-        String(Math.floor(Math.random() * 9999999999999) + 1),
-      );
-    }
+  let authorizationUrl: URL;
+  try {
+    authorizationUrl = new URL(`${authorizationUrlRaw ?? ''}`);
+  } catch {
+    throw new Error(`Invalid authorization URL "${authorizationUrlRaw}"`);
+  }
+  authorizationUrl.searchParams.set('response_type', 'token');
+  authorizationUrl.searchParams.set('client_id', clientId);
+  if (redirectUri) authorizationUrl.searchParams.set('redirect_uri', redirectUri);
+  if (scope) authorizationUrl.searchParams.set('scope', scope);
+  if (state) authorizationUrl.searchParams.set('state', state);
+  if (audience) authorizationUrl.searchParams.set('audience', audience);
+  if (responseType.includes('id_token')) {
+    authorizationUrl.searchParams.set(
+      'nonce',
+      String(Math.floor(Math.random() * 9999999999999) + 1),
+    );
+  }

-    const authorizationUrlStr = authorizationUrl.toString();
+  // biome-ignore lint/suspicious/noAsyncPromiseExecutor: none
+  const newToken = await new Promise<AccessToken>(async (resolve, reject) => {
    let foundAccessToken = false;
-    let { close } = await ctx.window.openUrl({
+    const authorizationUrlStr = authorizationUrl.toString();
+    const dataDirKey = await getDataDirKey(ctx, contextId);
+    const { close } = await ctx.window.openUrl({
+      dataDirKey,
      url: authorizationUrlStr,
      label: 'oauth-authorization-url',
      async onClose() {
@@ -76,11 +90,13 @@ export function getImplicit(

        const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
        try {
-          resolve(await storeToken(ctx, contextId, response));
+          resolve(storeToken(ctx, tokenArgs, response));
        } catch (err) {
          reject(err);
        }
      },
    });
  });
+
+  return newToken;
 }
@@ -1,7 +1,8 @@
-import { Context } from '@yaakapp/api';
-import { getAccessToken } from '../getAccessToken';
+import type { Context } from '@yaakapp/api';
+import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import { AccessToken, storeToken } from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
+import { storeToken } from '../store';

 export async function getPassword(
  ctx: Context,
@@ -26,7 +27,13 @@ export async function getPassword(
    credentialsInBody: boolean;
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -37,7 +44,7 @@ export async function getPassword(
    return token;
  }

-  const response = await getAccessToken(ctx, {
+  const response = await fetchAccessToken(ctx, {
    accessTokenUrl,
    clientId,
    clientSecret,
@@ -51,5 +58,5 @@ export async function getPassword(
    ],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }
@@ -1,4 +1,4 @@
-import {
+import type {
  Context,
  FormInputSelectOption,
  GetHttpAuthenticationConfigRequest,
@@ -7,6 +7,7 @@ import {
 } from '@yaakapp/api';
 import {
  DEFAULT_PKCE_METHOD,
+  genPkceCodeVerifier,
  getAuthorizationCode,
  PKCE_PLAIN,
  PKCE_SHA256,
@@ -14,7 +15,8 @@ import {
 import { getClientCredentials } from './grants/clientCredentials';
 import { getImplicit } from './grants/implicit';
 import { getPassword } from './grants/password';
-import { AccessToken, deleteToken, getToken, resetDataDirKey } from './store';
+import type { AccessToken, TokenStoreArgs } from './store';
+import { deleteToken, getToken, resetDataDirKey } from './store';

 type GrantType = 'authorization_code' | 'implicit' | 'password' | 'client_credentials';

@@ -25,7 +27,7 @@ const grantTypes: FormInputSelectOption[] = [
  { label: 'Client Credentials', value: 'client_credentials' },
 ];

-const defaultGrantType = grantTypes[0]!.value;
+const defaultGrantType = grantTypes[0]?.value;

 function hiddenIfNot(
  grantTypes: GrantType[],
@@ -81,8 +83,14 @@ export const plugin: PluginDefinition = {
    actions: [
      {
        label: 'Copy Current Token',
-        async onSelect(ctx, { contextId }) {
-          const token = await getToken(ctx, contextId);
+        async onSelect(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          const token = await getToken(ctx, tokenArgs);
          if (token == null) {
            await ctx.toast.show({ message: 'No token to copy', color: 'warning' });
          } else {
@@ -97,8 +105,14 @@ export const plugin: PluginDefinition = {
      },
      {
        label: 'Delete Token',
-        async onSelect(ctx, { contextId }) {
-          if (await deleteToken(ctx, contextId)) {
+        async onSelect(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          if (await deleteToken(ctx, tokenArgs)) {
            await ctx.toast.show({ message: 'Token deleted', color: 'success' });
          } else {
            await ctx.toast.show({ message: 'No token to delete', color: 'warning' });
@@ -111,24 +125,12 @@ export const plugin: PluginDefinition = {
          await resetDataDirKey(ctx, contextId);
        },
      },
-      {
-        label: 'Toggle Debug Logs',
-        async onSelect(ctx) {
-          const enableLogs = !(await ctx.store.get('enable_logs'));
-          await ctx.store.set('enable_logs', enableLogs);
-          await ctx.toast.show({
-            message: `Debug logs ${enableLogs ? 'enabled' : 'disabled'}`,
-            color: 'info',
-          });
-        },
-      },
    ],
    args: [
      {
        type: 'select',
        name: 'grantType',
        label: 'Grant Type',
-        hideLabel: true,
        defaultValue: defaultGrantType,
        options: grantTypes,
      },
@@ -219,9 +221,9 @@ export const plugin: PluginDefinition = {
      },
      {
        type: 'text',
-        name: 'pkceCodeVerifier',
+        name: 'pkceCodeChallenge',
        label: 'Code Verifier',
-        placeholder: 'Automatically generated if not provided',
+        placeholder: 'Automatically generated when not set',
        optional: true,
        dynamic: hiddenIfNot(['authorization_code'], ({ usePkce }) => !!usePkce),
      },
@@ -257,6 +259,12 @@ export const plugin: PluginDefinition = {
        label: 'Advanced',
        inputs: [
          { type: 'text', name: 'scope', label: 'Scope', optional: true },
+          {
+            type: 'text',
+            name: 'headerName',
+            label: 'Header Name',
+            defaultValue: 'Authorization',
+          },
          {
            type: 'text',
            name: 'headerPrefix',
@@ -279,8 +287,15 @@ export const plugin: PluginDefinition = {
      {
        type: 'accordion',
        label: 'Access Token Response',
-        async dynamic(ctx, { contextId }) {
-          const token = await getToken(ctx, contextId);
+        inputs: [],
+        async dynamic(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          const token = await getToken(ctx, tokenArgs);
          if (token == null) {
            return { hidden: true };
          }
@@ -289,6 +304,7 @@ export const plugin: PluginDefinition = {
            inputs: [
              {
                type: 'editor',
+                name: 'response',
                defaultValue: JSON.stringify(token.response, null, 2),
                hideLabel: true,
                readOnly: true,
@@ -310,12 +326,14 @@ export const plugin: PluginDefinition = {
        const authorizationUrl = stringArg(values, 'authorizationUrl');
        const accessTokenUrl = stringArg(values, 'accessTokenUrl');
        token = await getAuthorizationCode(ctx, contextId, {
-          accessTokenUrl: accessTokenUrl.match(/^https?:\/\//)
-            ? accessTokenUrl
-            : `https://${accessTokenUrl}`,
-          authorizationUrl: authorizationUrl.match(/^https?:\/\//)
-            ? authorizationUrl
-            : `https://${authorizationUrl}`,
+          accessTokenUrl:
+            accessTokenUrl === '' || accessTokenUrl.match(/^https?:\/\//)
+              ? accessTokenUrl
+              : `https://${accessTokenUrl}`,
+          authorizationUrl:
+            authorizationUrl === '' || authorizationUrl.match(/^https?:\/\//)
+              ? authorizationUrl
+              : `https://${authorizationUrl}`,
          clientId: stringArg(values, 'clientId'),
          clientSecret: stringArg(values, 'clientSecret'),
          redirectUri: stringArgOrNull(values, 'redirectUri'),
@@ -325,8 +343,8 @@ export const plugin: PluginDefinition = {
          credentialsInBody,
          pkce: values.usePkce
            ? {
-                challengeMethod: stringArg(values, 'pkceChallengeMethod'),
-                codeVerifier: stringArgOrNull(values, 'pkceCodeVerifier'),
+                challengeMethod: stringArg(values, 'pkceChallengeMethod') || DEFAULT_PKCE_METHOD,
+                codeVerifier: stringArg(values, 'pkceCodeVerifier') || genPkceCodeVerifier(),
              }
            : null,
          tokenName: tokenName,
@@ -372,18 +390,12 @@ export const plugin: PluginDefinition = {
          credentialsInBody,
        });
      } else {
-        throw new Error('Invalid grant type ' + grantType);
+        throw new Error(`Invalid grant type ${grantType}`);
      }

+      const headerName = stringArg(values, 'headerName') || 'Authorization';
      const headerValue = `${headerPrefix} ${token.response[tokenName]}`.trim();
-      return {
-        setHeaders: [
-          {
-            name: 'Authorization',
-            value: headerValue,
-          },
-        ],
-      };
+      return { setHeaders: [{ name: headerName, value: headerValue }] };
    },
  },
 };
@@ -393,7 +405,7 @@ function stringArgOrNull(
  name: string,
 ): string | null {
  const arg = values[name];
-  if (arg == null || arg == '') return null;
+  if (arg == null || arg === '') return null;
  return `${arg}`;
 }

@@ -1,8 +1,9 @@
-import { Context } from '@yaakapp/api';
+import { createHash } from 'node:crypto';
+import type { Context } from '@yaakapp/api';

 export async function storeToken(
  ctx: Context,
-  contextId: string,
+  args: TokenStoreArgs,
  response: AccessTokenRawResponse,
  tokenName: 'access_token' | 'id_token' = 'access_token',
 ) {
@@ -15,16 +16,16 @@ export async function storeToken(
    response,
    expiresAt,
  };
-  await ctx.store.set<AccessToken>(tokenStoreKey(contextId), token);
+  await ctx.store.set<AccessToken>(tokenStoreKey(args), token);
  return token;
 }

-export async function getToken(ctx: Context, contextId: string) {
-  return ctx.store.get<AccessToken>(tokenStoreKey(contextId));
+export async function getToken(ctx: Context, args: TokenStoreArgs) {
+  return ctx.store.get<AccessToken>(tokenStoreKey(args));
 }

-export async function deleteToken(ctx: Context, contextId: string) {
-  return ctx.store.delete(tokenStoreKey(contextId));
+export async function deleteToken(ctx: Context, args: TokenStoreArgs) {
+  return ctx.store.delete(tokenStoreKey(args));
 }

 export async function resetDataDirKey(ctx: Context, contextId: string) {
@@ -37,8 +38,25 @@ export async function getDataDirKey(ctx: Context, contextId: string) {
  return `${contextId}::${key}`;
 }

-function tokenStoreKey(contextId: string) {
-  return ['token', contextId].join('::');
+export interface TokenStoreArgs {
+  contextId: string;
+  clientId: string;
+  accessTokenUrl: string | null;
+  authorizationUrl: string | null;
+}
+
+/**
+ * Generate a store key to use based on some arguments. The arguments will be normalized a bit to
+ * account for slight variations (like domains with and without a protocol scheme).
+ */
+function tokenStoreKey(args: TokenStoreArgs) {
+  const hash = createHash('md5');
+  if (args.contextId) hash.update(args.contextId.trim());
+  if (args.clientId) hash.update(args.clientId.trim());
+  if (args.accessTokenUrl) hash.update(args.accessTokenUrl.trim().replace(/^https?:\/\//, ''));
+  if (args.authorizationUrl) hash.update(args.authorizationUrl.trim().replace(/^https?:\/\//, ''));
+  const key = hash.digest('hex');
+  return ['token', key].join('::');
 }

 function dataDirStoreKey(contextId: string) {
@@ -0,0 +1,85 @@
+import type { AccessToken } from './store';
+
+export function isTokenExpired(token: AccessToken) {
+  return token.expiresAt && Date.now() > token.expiresAt;
+}
+
+export function extractCode(urlStr: string, redirectUri: string | null): string | null {
+  const url = new URL(urlStr);
+
+  if (!urlMatchesRedirect(url, redirectUri)) {
+    console.log('[oauth2] URL does not match redirect origin/path; skipping.');
+    return null;
+  }
+
+  // Prefer query param; fall back to fragment if query lacks it
+
+  const query = url.searchParams;
+  const queryError = query.get('error');
+  const queryDesc = query.get('error_description');
+  const queryUri = query.get('error_uri');
+
+  let hashParams: URLSearchParams | null = null;
+  if (url.hash && url.hash.length > 1) {
+    hashParams = new URLSearchParams(url.hash.slice(1));
+  }
+  const hashError = hashParams?.get('error');
+  const hashDesc = hashParams?.get('error_description');
+  const hashUri = hashParams?.get('error_uri');
+
+  const error = queryError || hashError;
+  if (error) {
+    const desc = queryDesc || hashDesc;
+    const uri = queryUri || hashUri;
+    let message = `Failed to authorize: ${error}`;
+    if (desc) message += ` (${desc})`;
+    if (uri) message += ` [${uri}]`;
+    throw new Error(message);
+  }
+
+  const queryCode = query.get('code');
+  if (queryCode) return queryCode;
+
+  const hashCode = hashParams?.get('code');
+  if (hashCode) return hashCode;
+
+  console.log('[oauth2] Code not found');
+  return null;
+}
+
+export function urlMatchesRedirect(url: URL, redirectUrl: string | null): boolean {
+  if (!redirectUrl) return true;
+
+  let redirect: URL;
+  try {
+    redirect = new URL(redirectUrl);
+  } catch {
+    console.log('[oauth2] Invalid redirect URI; skipping.');
+    return false;
+  }
+
+  const sameProtocol = url.protocol === redirect.protocol;
+
+  const sameHost = url.hostname.toLowerCase() === redirect.hostname.toLowerCase();
+
+  const normalizePort = (u: URL) =>
+    (u.protocol === 'https:' && (!u.port || u.port === '443')) ||
+    (u.protocol === 'http:' && (!u.port || u.port === '80'))
+      ? ''
+      : u.port;
+
+  const samePort = normalizePort(url) === normalizePort(redirect);
+
+  const normPath = (p: string) => {
+    const withLeading = p.startsWith('/') ? p : `/${p}`;
+    // strip trailing slashes, keep root as "/"
+    return withLeading.replace(/\/+$/g, '') || '/';
+  };
+
+  // Require redirect path to be a prefix of the navigated URL path
+  const urlPath = normPath(url.pathname);
+  const redirectPath = normPath(redirect.pathname);
+  const pathMatches = urlPath === redirectPath || urlPath.startsWith(`${redirectPath}/`);
+
+  return sameProtocol && sameHost && samePort && pathMatches;
+}
--- a/Show More
+++ b/Show More