Fix GraphQL editor

Dropdown to setup sync now opens the correct workspace settings tab
Don't drag tree item when editing
2026-02-18 08:37:48 +01:00 · 2025-11-06 06:31:56 -08:00 · 2025-11-06 05:13:18 -08:00 · 2025-11-06 05:10:23 -08:00 · 2025-11-05 10:21:26 -08:00 · 2025-11-05 10:12:48 -08:00
392 changed files with 15180 additions and 5404 deletions
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -62,7 +62,7 @@ jobs:

      - name: install dependencies (windows only)
        if: matrix.platform == 'windows-latest'
-        run: cargo install --force trusted-signing-cli --version 0.5.0
+        run: cargo install --force trusted-signing-cli

      - name: Install NPM Dependencies
        run: npm ci
@@ -72,9 +72,16 @@ jobs:
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}

+      # Some things (eg. WASM package) requires building before lint will work
+      - name: Run bootstrap
+        run: npm run bootstrap
+
      - name: Run lint
        run: npm run lint

+      - name: Run tests
+        run: npm test
+
      - name: Set version
        run: npm run replace-version
        env:
@@ -106,5 +113,5 @@ jobs:
          releaseName: 'Release __VERSION__'
          releaseBody: '[Changelog __VERSION__](https://yaak.app/blog/__VERSION__)'
          releaseDraft: true
-          prerelease: false
-          args: ${{ matrix.args }}
+          prerelease: true
+          args: '${{ matrix.args }} --config ./src-tauri/tauri.release.conf.json'
--- a/.github/workflows/sponsors.yml
+++ b/.github/workflows/sponsors.yml
@@ -0,0 +1,44 @@
+name: Generate Sponsors README
+on:
+  workflow_dispatch:
+  schedule:
+    - cron: 30 15 * * 0-6
+permissions:
+  contents: write
+jobs:
+  deploy:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout 🛎️
+        uses: actions/checkout@v2
+
+      - name: Generate Sponsors
+        uses: JamesIves/github-sponsors-readme-action@v1
+        with:
+          token: ${{ secrets.SPONSORS_PAT }}
+          file: 'README.md'
+          maximum: 1999
+          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="50px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
+          active-only: false
+          include-private: true
+          marker: 'sponsors-base'
+
+      - name: Generate Sponsors
+        uses: JamesIves/github-sponsors-readme-action@v1
+        with:
+          token: ${{ secrets.SPONSORS_PAT }}
+          file: 'README.md'
+          minimum: 2000
+          template: '<a href="https://github.com/{{{ login }}}"><img src="{{{ avatarUrl }}}" width="80px" alt="User avatar: {{{ login }}}" /></a>&nbsp;&nbsp;'
+          active-only: false
+          include-private: true
+          marker: 'sponsors-premium'
+
+      # ⚠️ Note: You can use any deployment step here to automatically push the README
+      # changes back to your branch.
+      - name: Commit Changes
+        uses: JamesIves/github-pages-deploy-action@v4
+        with:
+          branch: main
+          force: false
+          folder: '.'
--- a/README.md
+++ b/README.md
@@ -1,34 +1,70 @@
-# Yaak API Client
+<p align="center">
+  <a href="https://github.com/JamesIves/github-sponsors-readme-action">
+    <img width="200px" src="https://github.com/mountain-loop/yaak/raw/main/src-tauri/icons/icon.png">
+  </a>
+</p>

-Yaak is a desktop API client for interacting with REST, GraphQL, Server Sent Events (SSE), WebSocket, and gRPC
-APIs. It's built using [Tauri](https://tauri.app), Rust, and ReactJS.
+<h1 align="center">
+  💫 Yaak ➟ Desktop API Client 💫
+</h1>
+
+<p align="center">
+    A fast, privacy-first API client for REST, GraphQL, SSE, WebSocket, and gRPC – built with Tauri, Rust, and React.
+</p>
+<p align="center">
+ Development is funded by community-purchased <a href="https://yaak.app/pricing">licenses</a>. You can also <a href="https://github.com/sponsors/gschier">become a sponsor</a> to have your logo appear below. 💖
+</p>
+<br>
+
+
+
+<p align="center">
+  <!-- sponsors-premium --><a href="https://github.com/MVST-Solutions"><img src="https:&#x2F;&#x2F;github.com&#x2F;MVST-Solutions.png" width="80px" alt="User avatar: MVST-Solutions" /></a>&nbsp;&nbsp;<a href="https://github.com/dharsanb"><img src="https:&#x2F;&#x2F;github.com&#x2F;dharsanb.png" width="80px" alt="User avatar: dharsanb" /></a>&nbsp;&nbsp;<a href="https://github.com/railwayapp"><img src="https:&#x2F;&#x2F;github.com&#x2F;railwayapp.png" width="80px" alt="User avatar: railwayapp" /></a>&nbsp;&nbsp;<a href="https://github.com/caseyamcl"><img src="https:&#x2F;&#x2F;github.com&#x2F;caseyamcl.png" width="80px" alt="User avatar: caseyamcl" /></a>&nbsp;&nbsp;<a href="https://github.com/andriyor"><img src="https:&#x2F;&#x2F;github.com&#x2F;andriyor.png" width="80px" alt="User avatar: andriyor" /></a>&nbsp;&nbsp;<a href="https://github.com/"><img src="https:&#x2F;&#x2F;raw.githubusercontent.com&#x2F;JamesIves&#x2F;github-sponsors-readme-action&#x2F;dev&#x2F;.github&#x2F;assets&#x2F;placeholder.png" width="80px" alt="User avatar: " /></a>&nbsp;&nbsp;<!-- sponsors-premium -->
+</p>
+<p align="center">
+  <!-- sponsors-base --><a href="https://github.com/seanwash"><img src="https:&#x2F;&#x2F;github.com&#x2F;seanwash.png" width="50px" alt="User avatar: seanwash" /></a>&nbsp;&nbsp;<a href="https://github.com/jerath"><img src="https:&#x2F;&#x2F;github.com&#x2F;jerath.png" width="50px" alt="User avatar: jerath" /></a>&nbsp;&nbsp;<a href="https://github.com/itsa-sh"><img src="https:&#x2F;&#x2F;github.com&#x2F;itsa-sh.png" width="50px" alt="User avatar: itsa-sh" /></a>&nbsp;&nbsp;<a href="https://github.com/dmmulroy"><img src="https:&#x2F;&#x2F;github.com&#x2F;dmmulroy.png" width="50px" alt="User avatar: dmmulroy" /></a>&nbsp;&nbsp;<a href="https://github.com/timcole"><img src="https:&#x2F;&#x2F;github.com&#x2F;timcole.png" width="50px" alt="User avatar: timcole" /></a>&nbsp;&nbsp;<a href="https://github.com/VLZH"><img src="https:&#x2F;&#x2F;github.com&#x2F;VLZH.png" width="50px" alt="User avatar: VLZH" /></a>&nbsp;&nbsp;<a href="https://github.com/terasaka2k"><img src="https:&#x2F;&#x2F;github.com&#x2F;terasaka2k.png" width="50px" alt="User avatar: terasaka2k" /></a>&nbsp;&nbsp;<a href="https://github.com/majudhu"><img src="https:&#x2F;&#x2F;github.com&#x2F;majudhu.png" width="50px" alt="User avatar: majudhu" /></a>&nbsp;&nbsp;<a href="https://github.com/axelrindle"><img src="https:&#x2F;&#x2F;github.com&#x2F;axelrindle.png" width="50px" alt="User avatar: axelrindle" /></a>&nbsp;&nbsp;<a href="https://github.com/jirizverina"><img src="https:&#x2F;&#x2F;github.com&#x2F;jirizverina.png" width="50px" alt="User avatar: jirizverina" /></a>&nbsp;&nbsp;<a href="https://github.com/chip-well"><img src="https:&#x2F;&#x2F;github.com&#x2F;chip-well.png" width="50px" alt="User avatar: chip-well" /></a>&nbsp;&nbsp;<!-- sponsors-base -->
+</p>
+
+![Yaak API Client](https://yaak.app/static/screenshot.png)
+
+
+## Features
+
+Yaak is an offline-first API client designed to stay out of your way while giving you everything you need when you need it. 
+Built with [Tauri](https://tauri.app), Rust, and React, it’s fast, lightweight, and private. No telemetry, no VC funding, and no cloud lock-in.  
+
+
+### 🌐 Work with any API
+
+- Import collections from Postman, Insomnia, OpenAPI, Swagger, or Curl.
+- Send requests via REST, GraphQL, gRPC, WebSocket, or Server-Sent Events.
+- Filter and inspect responses with JSONPath or XPath.
+
+### 🔐 Stay secure
+- Use OAuth 2.0, JWT, Basic Auth, or custom plugins for authentication.
+- Secure sensitive values with encrypted secrets. 
+- Store secrets in your OS keychain.
+
+### ☁️ Organize & collaborate
+- Group requests into workspaces and nested folders.
+- Use environment variables to switch between dev, staging, and prod.
+- Mirror workspaces to your filesystem for versioning in Git or syncing with Dropbox.
+
+### 🧩 Extend & customize
+- Insert dynamic values like UUIDs or timestamps with template tags.
+- Pick from built-in themes or build your own.
+- Create plugins to extend authentication, template tags, or the UI.

-![366149288-f18e963f-0b68-4ecb-b8b8-cb71aa9aec02](https://github.com/user-attachments/assets/ca83b7ad-5708-411b-8faf-e36b365841a4)

 ## Contribution Policy

-Yaak is open source, but only accepting contributions for bug fixes. To get started, 
+Yaak is open source but only accepting contributions for bug fixes. To get started, 
 visit [`DEVELOPMENT.md`](DEVELOPMENT.md) for tips on setting up your environment.

-## Feature Overview
-
- 🪂 Import data from Postman, Insomnia, OpenAPI, Swagger, or Curl.<br/>
- 📤 Send requests via REST, GraphQL, Server Sent Events (SSE), WebSockets, or gRPC.<br/>
- 🔐 Automatically authorize requests with OAuth 2.0, JWT tokens, Basic Auth, and more.<br/>
- 🔎 Filter response bodies using JSONPath or XPath queries.<br/>
- ⛓️ Chain together multiple requests to dynamically reference values.<br/>
- 📂 Organize requests into workspaces and nested folders.<br/>
- 🧮 Use environment variables to easily switch between Prod and Dev.<br/>
- 🛡️ Secure arbitrary text values with end-to-end encryption<br/>
- 🏷️ Send dynamic values like UUIDs or timestamps using template tags.<br/>
- 🎨 Choose from many of the included themes, or make your own.<br/>
- 💽 Mirror workspace data to a directory for integration with Git or Dropbox.<br/>
- 📜 View response history for each request.<br/>
- 🔌 Create your own plugins for authentication, template tags, and more!<br/>
- 🛜 Configure a proxy to access firewall-blocked APIs
-
 ## Useful Resources

 - [Feedback and Bug Reports](https://feedback.yaak.app)
 - [Documentation](https://feedback.yaak.app/help)
- [Yaak vs Postman](https://yaak.app/blog/postman-alternative)
+- [Yaak vs Postman](https://yaak.app/alternatives/postman)
+- [Yaak vs Bruno](https://yaak.app/alternatives/bruno)
+- [Yaak vs Insomnia](https://yaak.app/alternatives/insomnia)
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -7,22 +7,25 @@
    "url": "git+https://github.com/mountain-loop/yaak.git"
  },
  "workspaces": [
+    "packages/common-lib",
    "packages/plugin-runtime",
    "packages/plugin-runtime-types",
-    "packages/common-lib",
+    "plugins/action-copy-curl",
+    "plugins/action-copy-grpcurl",
    "plugins/auth-apikey",
+    "plugins/auth-aws",
    "plugins/auth-basic",
    "plugins/auth-bearer",
    "plugins/auth-jwt",
    "plugins/auth-oauth2",
-    "plugins/action-copy-curl",
-    "plugins/action-copy-grpcurl",
+    "plugins/auth-oauth1",
    "plugins/filter-jsonpath",
    "plugins/filter-xpath",
    "plugins/importer-curl",
    "plugins/importer-insomnia",
    "plugins/importer-openapi",
    "plugins/importer-postman",
+    "plugins/importer-postman-environment",
    "plugins/importer-yaak",
    "plugins/template-function-cookie",
    "plugins/template-function-encode",
@@ -30,15 +33,18 @@
    "plugins/template-function-hash",
    "plugins/template-function-json",
    "plugins/template-function-prompt",
+    "plugins/template-function-random",
    "plugins/template-function-regex",
    "plugins/template-function-request",
    "plugins/template-function-response",
+    "plugins/template-function-timestamp",
    "plugins/template-function-uuid",
    "plugins/template-function-xml",
    "plugins/themes-yaak",
+    "src-tauri",
    "src-tauri/yaak-crypto",
-    "src-tauri/yaak-git",
    "src-tauri/yaak-fonts",
+    "src-tauri/yaak-git",
    "src-tauri/yaak-license",
    "src-tauri/yaak-mac-window",
    "src-tauri/yaak-models",
@@ -52,10 +58,14 @@
  "scripts": {
    "start": "npm run app-dev",
    "app-build": "tauri build",
-    "app-dev": "tauri dev --no-watch --config ./src-tauri/tauri-dev.conf.json",
+    "app-dev": "tauri dev --no-watch --config ./src-tauri/tauri.development.conf.json",
    "migration": "node scripts/create-migration.cjs",
    "build": "npm run --workspaces --if-present build",
    "build-plugins": "npm run --workspaces --if-present build",
+    "test": "npm run --workspaces --if-present test",
+    "icons": "run-p icons:*",
+    "icons:dev": "tauri icon src-tauri/icons/icon-dev.png --output src-tauri/icons/dev",
+    "icons:release": "tauri icon src-tauri/icons/icon.png --output src-tauri/icons/release",
    "bootstrap": "run-p bootstrap:* && npm run --workspaces --if-present bootstrap",
    "bootstrap:vendor-node": "node scripts/vendor-node.cjs",
    "bootstrap:vendor-plugins": "node scripts/vendor-plugins.cjs",
@@ -73,7 +83,7 @@
    "@eslint/compat": "^1.3.0",
    "@eslint/eslintrc": "^3.3.1",
    "@eslint/js": "^9.29.0",
-    "@tauri-apps/cli": "2.4.1",
+    "@tauri-apps/cli": "^2.9.1",
    "@typescript-eslint/eslint-plugin": "^8.27.0",
    "@typescript-eslint/parser": "^8.27.0",
    "@yaakapp/cli": "^0.2.7",
--- a/packages/plugin-runtime-types/package.json
+++ b/packages/plugin-runtime-types/package.json
@@ -1,6 +1,6 @@
 {
  "name": "@yaakapp/api",
-  "version": "0.6.6",
+  "version": "0.7.0",
  "keywords": [
    "api-client",
    "insomnia-alternative",
--- a/packages/plugin-runtime-types/src/bindings/gen_events.ts
+++ b/packages/plugin-runtime-types/src/bindings/gen_events.ts
@@ -4,8 +4,6 @@ import type { JsonValue } from "./serde_json/JsonValue.js";

 export type BootRequest = { dir: string, watch: boolean, };

-export type BootResponse = { name: string, version: string, };
-
 export type CallGrpcRequestActionArgs = { grpcRequest: GrpcRequest, protoFiles: Array<string>, };

 export type CallGrpcRequestActionRequest = { index: number, pluginRefId: string, args: CallGrpcRequestActionArgs, };
@@ -36,7 +34,7 @@ export type CallTemplateFunctionArgs = { purpose: RenderPurpose, values: { [key

 export type CallTemplateFunctionRequest = { name: string, args: CallTemplateFunctionArgs, };

-export type CallTemplateFunctionResponse = { value: string | null, };
+export type CallTemplateFunctionResponse = { value: string | null, error?: string, };

 export type CloseWindowRequest = { label: string, };

@@ -363,7 +361,11 @@ export type GetKeyValueRequest = { key: string, };

 export type GetKeyValueResponse = { value?: string, };

-export type GetTemplateFunctionsResponse = { functions: Array<TemplateFunction>, pluginRefId: string, };
+export type GetTemplateFunctionConfigRequest = { contextId: string, name: string, values: { [key in string]?: JsonPrimitive }, };
+
+export type GetTemplateFunctionConfigResponse = { function: TemplateFunction, pluginRefId: string, };
+
+export type GetTemplateFunctionSummaryResponse = { functions: Array<TemplateFunction>, pluginRefId: string, };

 export type GetThemesRequest = Record<string, never>;

@@ -387,7 +389,7 @@ export type ImportResponse = { resources: ImportResources, };

 export type InternalEvent = { id: string, pluginRefId: string, pluginName: string, replyId: string | null, windowContext: PluginWindowContext, payload: InternalEventPayload, };

-export type InternalEventPayload = { "type": "boot_request" } & BootRequest | { "type": "boot_response" } & BootResponse | { "type": "reload_request" } & EmptyPayload | { "type": "reload_response" } & BootResponse | { "type": "terminate_request" } | { "type": "terminate_response" } | { "type": "import_request" } & ImportRequest | { "type": "import_response" } & ImportResponse | { "type": "filter_request" } & FilterRequest | { "type": "filter_response" } & FilterResponse | { "type": "export_http_request_request" } & ExportHttpRequestRequest | { "type": "export_http_request_response" } & ExportHttpRequestResponse | { "type": "send_http_request_request" } & SendHttpRequestRequest | { "type": "send_http_request_response" } & SendHttpRequestResponse | { "type": "list_cookie_names_request" } & ListCookieNamesRequest | { "type": "list_cookie_names_response" } & ListCookieNamesResponse | { "type": "get_cookie_value_request" } & GetCookieValueRequest | { "type": "get_cookie_value_response" } & GetCookieValueResponse | { "type": "get_http_request_actions_request" } & EmptyPayload | { "type": "get_http_request_actions_response" } & GetHttpRequestActionsResponse | { "type": "call_http_request_action_request" } & CallHttpRequestActionRequest | { "type": "get_grpc_request_actions_request" } & EmptyPayload | { "type": "get_grpc_request_actions_response" } & GetGrpcRequestActionsResponse | { "type": "call_grpc_request_action_request" } & CallGrpcRequestActionRequest | { "type": "get_template_functions_request" } | { "type": "get_template_functions_response" } & GetTemplateFunctionsResponse | { "type": "call_template_function_request" } & CallTemplateFunctionRequest | { "type": "call_template_function_response" } & CallTemplateFunctionResponse | { "type": "get_http_authentication_summary_request" } & EmptyPayload | { "type": "get_http_authentication_summary_response" } & GetHttpAuthenticationSummaryResponse | { "type": "get_http_authentication_config_request" } & GetHttpAuthenticationConfigRequest | { "type": "get_http_authentication_config_response" } & GetHttpAuthenticationConfigResponse | { "type": "call_http_authentication_request" } & CallHttpAuthenticationRequest | { "type": "call_http_authentication_response" } & CallHttpAuthenticationResponse | { "type": "call_http_authentication_action_request" } & CallHttpAuthenticationActionRequest | { "type": "call_http_authentication_action_response" } & EmptyPayload | { "type": "copy_text_request" } & CopyTextRequest | { "type": "copy_text_response" } & EmptyPayload | { "type": "render_http_request_request" } & RenderHttpRequestRequest | { "type": "render_http_request_response" } & RenderHttpRequestResponse | { "type": "render_grpc_request_request" } & RenderGrpcRequestRequest | { "type": "render_grpc_request_response" } & RenderGrpcRequestResponse | { "type": "get_key_value_request" } & GetKeyValueRequest | { "type": "get_key_value_response" } & GetKeyValueResponse | { "type": "set_key_value_request" } & SetKeyValueRequest | { "type": "set_key_value_response" } & SetKeyValueResponse | { "type": "delete_key_value_request" } & DeleteKeyValueRequest | { "type": "delete_key_value_response" } & DeleteKeyValueResponse | { "type": "open_window_request" } & OpenWindowRequest | { "type": "window_navigate_event" } & WindowNavigateEvent | { "type": "window_close_event" } | { "type": "close_window_request" } & CloseWindowRequest | { "type": "template_render_request" } & TemplateRenderRequest | { "type": "template_render_response" } & TemplateRenderResponse | { "type": "show_toast_request" } & ShowToastRequest | { "type": "show_toast_response" } & EmptyPayload | { "type": "prompt_text_request" } & PromptTextRequest | { "type": "prompt_text_response" } & PromptTextResponse | { "type": "get_http_request_by_id_request" } & GetHttpRequestByIdRequest | { "type": "get_http_request_by_id_response" } & GetHttpRequestByIdResponse | { "type": "find_http_responses_request" } & FindHttpResponsesRequest | { "type": "find_http_responses_response" } & FindHttpResponsesResponse | { "type": "get_themes_request" } & GetThemesRequest | { "type": "get_themes_response" } & GetThemesResponse | { "type": "empty_response" } & EmptyPayload | { "type": "error_response" } & ErrorResponse;
+export type InternalEventPayload = { "type": "boot_request" } & BootRequest | { "type": "boot_response" } | { "type": "reload_response" } & ReloadResponse | { "type": "terminate_request" } | { "type": "terminate_response" } | { "type": "import_request" } & ImportRequest | { "type": "import_response" } & ImportResponse | { "type": "filter_request" } & FilterRequest | { "type": "filter_response" } & FilterResponse | { "type": "export_http_request_request" } & ExportHttpRequestRequest | { "type": "export_http_request_response" } & ExportHttpRequestResponse | { "type": "send_http_request_request" } & SendHttpRequestRequest | { "type": "send_http_request_response" } & SendHttpRequestResponse | { "type": "list_cookie_names_request" } & ListCookieNamesRequest | { "type": "list_cookie_names_response" } & ListCookieNamesResponse | { "type": "get_cookie_value_request" } & GetCookieValueRequest | { "type": "get_cookie_value_response" } & GetCookieValueResponse | { "type": "get_http_request_actions_request" } & EmptyPayload | { "type": "get_http_request_actions_response" } & GetHttpRequestActionsResponse | { "type": "call_http_request_action_request" } & CallHttpRequestActionRequest | { "type": "get_grpc_request_actions_request" } & EmptyPayload | { "type": "get_grpc_request_actions_response" } & GetGrpcRequestActionsResponse | { "type": "call_grpc_request_action_request" } & CallGrpcRequestActionRequest | { "type": "get_template_function_summary_request" } & EmptyPayload | { "type": "get_template_function_summary_response" } & GetTemplateFunctionSummaryResponse | { "type": "get_template_function_config_request" } & GetTemplateFunctionConfigRequest | { "type": "get_template_function_config_response" } & GetTemplateFunctionConfigResponse | { "type": "call_template_function_request" } & CallTemplateFunctionRequest | { "type": "call_template_function_response" } & CallTemplateFunctionResponse | { "type": "get_http_authentication_summary_request" } & EmptyPayload | { "type": "get_http_authentication_summary_response" } & GetHttpAuthenticationSummaryResponse | { "type": "get_http_authentication_config_request" } & GetHttpAuthenticationConfigRequest | { "type": "get_http_authentication_config_response" } & GetHttpAuthenticationConfigResponse | { "type": "call_http_authentication_request" } & CallHttpAuthenticationRequest | { "type": "call_http_authentication_response" } & CallHttpAuthenticationResponse | { "type": "call_http_authentication_action_request" } & CallHttpAuthenticationActionRequest | { "type": "call_http_authentication_action_response" } & EmptyPayload | { "type": "copy_text_request" } & CopyTextRequest | { "type": "copy_text_response" } & EmptyPayload | { "type": "render_http_request_request" } & RenderHttpRequestRequest | { "type": "render_http_request_response" } & RenderHttpRequestResponse | { "type": "render_grpc_request_request" } & RenderGrpcRequestRequest | { "type": "render_grpc_request_response" } & RenderGrpcRequestResponse | { "type": "template_render_request" } & TemplateRenderRequest | { "type": "template_render_response" } & TemplateRenderResponse | { "type": "get_key_value_request" } & GetKeyValueRequest | { "type": "get_key_value_response" } & GetKeyValueResponse | { "type": "set_key_value_request" } & SetKeyValueRequest | { "type": "set_key_value_response" } & SetKeyValueResponse | { "type": "delete_key_value_request" } & DeleteKeyValueRequest | { "type": "delete_key_value_response" } & DeleteKeyValueResponse | { "type": "open_window_request" } & OpenWindowRequest | { "type": "window_navigate_event" } & WindowNavigateEvent | { "type": "window_close_event" } | { "type": "close_window_request" } & CloseWindowRequest | { "type": "show_toast_request" } & ShowToastRequest | { "type": "show_toast_response" } & EmptyPayload | { "type": "prompt_text_request" } & PromptTextRequest | { "type": "prompt_text_response" } & PromptTextResponse | { "type": "get_http_request_by_id_request" } & GetHttpRequestByIdRequest | { "type": "get_http_request_by_id_response" } & GetHttpRequestByIdResponse | { "type": "find_http_responses_request" } & FindHttpResponsesRequest | { "type": "find_http_responses_response" } & FindHttpResponsesResponse | { "type": "get_themes_request" } & GetThemesRequest | { "type": "get_themes_response" } & GetThemesResponse | { "type": "empty_response" } & EmptyPayload | { "type": "error_response" } & ErrorResponse;

 export type JsonPrimitive = string | number | boolean | null;

@@ -419,6 +421,8 @@ required?: boolean, };

 export type PromptTextResponse = { value: string | null, };

+export type ReloadResponse = { silent: boolean, };
+
 export type RenderGrpcRequestRequest = { grpcRequest: GrpcRequest, purpose: RenderPurpose, };

 export type RenderGrpcRequestResponse = { grpcRequest: GrpcRequest, };
@@ -437,7 +441,7 @@ export type SetKeyValueRequest = { key: string, value: string, };

 export type SetKeyValueResponse = {};

-export type ShowToastRequest = { message: string, color?: Color, icon?: Icon, };
+export type ShowToastRequest = { message: string, color?: Color, icon?: Icon, timeout?: number, };

 export type TemplateFunction = { name: string, description?: string, 
 /**
--- a/packages/plugin-runtime-types/src/bindings/gen_models.ts
+++ b/packages/plugin-runtime-types/src/bindings/gen_models.ts
@@ -1,6 +1,6 @@
 // This file was generated by [ts-rs](https://github.com/Aleph-Alpha/ts-rs). Do not edit this file manually.

-export type Environment = { model: "environment", id: string, workspaceId: string, createdAt: string, updatedAt: string, name: string, public: boolean, base: boolean, variables: Array<EnvironmentVariable>, color: string | null, };
+export type Environment = { model: "environment", id: string, workspaceId: string, createdAt: string, updatedAt: string, name: string, public: boolean, parentModel: string, parentId: string | null, variables: Array<EnvironmentVariable>, color: string | null, sortPriority: number, };

 export type EnvironmentVariable = { enabled?: boolean, name: string, value: string, id?: string, };

--- a/packages/plugin-runtime-types/src/plugins/Context.ts
+++ b/packages/plugin-runtime-types/src/plugins/Context.ts
@@ -61,4 +61,7 @@ export interface Context {
  templates: {
    render<T extends JsonValue>(args: TemplateRenderRequest & { data: T }): Promise<T>;
  };
+  plugin: {
+    reload(): void;
+  };
 }
--- a/packages/plugin-runtime-types/src/plugins/TemplateFunctionPlugin.ts
+++ b/packages/plugin-runtime-types/src/plugins/TemplateFunctionPlugin.ts
@@ -1,12 +1,21 @@
 import {
  CallTemplateFunctionArgs,
+  FormInput,
+  GetHttpAuthenticationConfigRequest,
  TemplateFunction,
-} from "../bindings/gen_events";
-import { Context } from "./Context";
+  TemplateFunctionArg,
+} from '../bindings/gen_events';
+import { MaybePromise } from '../helpers';
+import { Context } from './Context';
+
+export type DynamicTemplateFunctionArg = FormInput & {
+  dynamic(
+    ctx: Context,
+    args: GetHttpAuthenticationConfigRequest,
+  ): MaybePromise<Partial<FormInput> | undefined | null>;
+};

 export type TemplateFunctionPlugin = TemplateFunction & {
-  onRender(
-    ctx: Context,
-    args: CallTemplateFunctionArgs,
-  ): Promise<string | null>;
+  args: (TemplateFunctionArg | DynamicTemplateFunctionArg)[];
+  onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null>;
 };
--- a/packages/plugin-runtime-types/src/plugins/index.ts
+++ b/packages/plugin-runtime-types/src/plugins/index.ts
@@ -6,12 +6,16 @@ import type { ImporterPlugin } from './ImporterPlugin';
 import type { TemplateFunctionPlugin } from './TemplateFunctionPlugin';
 import type { ThemePlugin } from './ThemePlugin';

-export type { Context } from './Context';
+import type { Context } from './Context';
+
+export type { Context };

 /**
 * The global structure of a Yaak plugin
 */
 export type PluginDefinition = {
+  init?: (ctx: Context) => void | Promise<void>;
+  dispose?: () => void | Promise<void>;
  importer?: ImporterPlugin;
  themes?: ThemePlugin[];
  filter?: FilterPlugin;
--- a/packages/plugin-runtime/src/PluginHandle.ts
+++ b/packages/plugin-runtime/src/PluginHandle.ts
@@ -21,7 +21,7 @@ export class PluginHandle {
    this.#instance.postMessage(event);
  }

-  terminate() {
-    this.#instance.terminate();
+  async terminate() {
+    await this.#instance.terminate();
  }
 }
--- a/packages/plugin-runtime/src/PluginInstance.ts
+++ b/packages/plugin-runtime/src/PluginInstance.ts
@@ -1,6 +1,5 @@
 import {
  BootRequest,
-  BootResponse,
  DeleteKeyValueResponse,
  FindHttpResponsesResponse,
  FormInput,
@@ -56,19 +55,19 @@ export class PluginInstance {
    // Reload plugin if the JS or package.json changes
    const windowContextNone: PluginWindowContext = { type: 'none' };

-    this.#mod = {};
+    this.#mod = {} as any;
    this.#pkg = JSON.parse(readFileSync(this.#pathPkg(), 'utf8'));

-    const bootResponse: BootResponse = {
-      name: this.#pkg.name ?? 'unknown',
-      version: this.#pkg.version ?? '0.0.1',
-    };
-
    const fileChangeCallback = async () => {
+      await this.#mod?.dispose?.();
      this.#importModule();
+      await this.#mod?.init?.(this.#newCtx({ type: 'none' }));
      return this.#sendPayload(
        windowContextNone,
-        { type: 'reload_response', ...bootResponse },
+        {
+          type: 'reload_response',
+          silent: false,
+        },
        null,
      );
    };
@@ -85,23 +84,20 @@ export class PluginInstance {
    this.#appToPluginEvents.emit(event);
  }

-  terminate() {
+  async terminate() {
+    await this.#mod?.dispose?.();
    this.#unimportModule();
  }

  async #onMessage(event: InternalEvent) {
-    const ctx = this.#newCtx(event);
+    const ctx = this.#newCtx(event.windowContext);

    const { windowContext, payload, id: replyId } = event;
+
    try {
      if (payload.type === 'boot_request') {
-        // console.log('Plugin initialized', pkg.name, { capabilities, enableWatch });
-        const payload: InternalEventPayload = {
-          type: 'boot_response',
-          name: this.#pkg.name ?? 'unknown',
-          version: this.#pkg.version ?? '0.0.1',
-        };
-        this.#sendPayload(windowContext, payload, replyId);
+        await this.#mod?.init?.(ctx);
+        this.#sendPayload(windowContext, { type: 'boot_response' }, replyId);
        return;
      }

@@ -109,6 +105,7 @@ export class PluginInstance {
        const payload: InternalEventPayload = {
          type: 'terminate_response',
        };
+        await this.terminate();
        this.#sendPayload(windowContext, payload, replyId);
        return;
      }
@@ -189,32 +186,65 @@ export class PluginInstance {
      }

      if (
-        payload.type === 'get_template_functions_request' &&
+        payload.type === 'get_template_function_summary_request' &&
        Array.isArray(this.#mod?.templateFunctions)
      ) {
-        const reply: TemplateFunction[] = this.#mod.templateFunctions.map((templateFunction) => {
-          return {
-            ...migrateTemplateFunctionSelectOptions(templateFunction),
-            // Add everything except render
-            onRender: undefined,
-          };
-        });
+        const functions: TemplateFunction[] = this.#mod.templateFunctions.map(
+          (templateFunction) => {
+            return {
+              ...migrateTemplateFunctionSelectOptions(templateFunction),
+              // Add everything except render
+              onRender: undefined,
+            };
+          },
+        );
        const replyPayload: InternalEventPayload = {
-          type: 'get_template_functions_response',
+          type: 'get_template_function_summary_response',
          pluginRefId: this.#workerData.pluginRefId,
-          functions: reply,
+          functions,
+        };
+        this.#sendPayload(windowContext, replyPayload, replyId);
+        return;
+      }
+
+      if (
+        payload.type === 'get_template_function_config_request' &&
+        Array.isArray(this.#mod?.templateFunctions)
+      ) {
+        let templateFunction = this.#mod.templateFunctions.find((f) => f.name === payload.name);
+        if (templateFunction == null) {
+          this.#sendEmpty(windowContext, replyId);
+          return;
+        }
+
+        templateFunction = migrateTemplateFunctionSelectOptions(templateFunction);
+        // @ts-ignore
+        delete templateFunction.onRender;
+        const resolvedArgs: TemplateFunctionArg[] = [];
+        for (const arg of templateFunction.args) {
+          if (arg && 'dynamic' in arg) {
+            const dynamicAttrs = await arg.dynamic(ctx, payload);
+            const { dynamic, ...other } = arg;
+            resolvedArgs.push({ ...other, ...dynamicAttrs } as TemplateFunctionArg);
+          } else if (arg) {
+            resolvedArgs.push(arg);
+          }
+          templateFunction.args = resolvedArgs;
+        }
+        const replyPayload: InternalEventPayload = {
+          type: 'get_template_function_config_response',
+          pluginRefId: this.#workerData.pluginRefId,
+          function: templateFunction,
        };
        this.#sendPayload(windowContext, replyPayload, replyId);
        return;
      }

      if (payload.type === 'get_http_authentication_summary_request' && this.#mod?.authentication) {
-        const { name, shortLabel, label } = this.#mod.authentication;
+
        const replyPayload: InternalEventPayload = {
          type: 'get_http_authentication_summary_response',
-          name,
-          label,
-          shortLabel,
+          ...this.#mod.authentication,
        };

        this.#sendPayload(windowContext, replyPayload, replyId);
@@ -308,22 +338,30 @@ export class PluginInstance {
        const fn = this.#mod.templateFunctions.find((a) => a.name === payload.name);
        if (typeof fn?.onRender === 'function') {
          applyFormInputDefaults(fn.args, payload.args.values);
-          const result = await fn.onRender(ctx, payload.args);
-          this.#sendPayload(
-            windowContext,
-            {
-              type: 'call_template_function_response',
-              value: result ?? null,
-            },
-            replyId,
-          );
+          try {
+            const result = await fn.onRender(ctx, payload.args);
+            this.#sendPayload(
+              windowContext,
+              {
+                type: 'call_template_function_response',
+                value: result ?? null,
+              },
+              replyId,
+            );
+          } catch (err) {
+            this.#sendPayload(
+              windowContext,
+              {
+                type: 'call_template_function_response',
+                value: null,
+                error: `${err}`.replace(/^Error:\s*/g, ''),
+              },
+              replyId,
+            );
+          }
          return;
        }
      }
-
-      if (payload.type === 'reload_request') {
-        this.#importModule();
-      }
    } catch (err) {
      const error = `${err}`.replace(/^Error:\s*/g, '');
      console.log('Plugin call threw exception', payload.type, '→', error);
@@ -435,11 +473,11 @@ export class PluginInstance {
    this.#sendEvent(eventToSend);
  }

-  #newCtx(event: InternalEvent): Context {
+  #newCtx(windowContext: PluginWindowContext): Context {
    return {
      clipboard: {
        copyText: async (text) => {
-          await this.#sendAndWaitForReply(event.windowContext, {
+          await this.#sendAndWaitForReply(windowContext, {
            type: 'copy_text_request',
            text,
          });
@@ -447,8 +485,10 @@ export class PluginInstance {
      },
      toast: {
        show: async (args) => {
-          await this.#sendAndWaitForReply(event.windowContext, {
+          await this.#sendAndWaitForReply(windowContext, {
            type: 'show_toast_request',
+            // Handle default here because null/undefined both convert to None in Rust translation
+            timeout: args.timeout === undefined ? 5000 : args.timeout,
            ...args,
          });
        },
@@ -464,21 +504,21 @@ export class PluginInstance {
              onClose?.();
            }
          };
-          this.#sendAndListenForEvents(event.windowContext, payload, onEvent);
+          this.#sendAndListenForEvents(windowContext, payload, onEvent);
          return {
            close: () => {
              const closePayload: InternalEventPayload = {
                type: 'close_window_request',
                label: args.label,
              };
-              this.#sendPayload(event.windowContext, closePayload, null);
+              this.#sendPayload(windowContext, closePayload, null);
            },
          };
        },
      },
      prompt: {
        text: async (args) => {
-          const reply: PromptTextResponse = await this.#sendAndWaitForReply(event.windowContext, {
+          const reply: PromptTextResponse = await this.#sendAndWaitForReply(windowContext, {
            type: 'prompt_text_request',
            ...args,
          });
@@ -492,7 +532,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { httpResponses } = await this.#sendAndWaitForReply<FindHttpResponsesResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return httpResponses;
@@ -505,7 +545,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { grpcRequest } = await this.#sendAndWaitForReply<RenderGrpcRequestResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return grpcRequest;
@@ -518,7 +558,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { httpRequest } = await this.#sendAndWaitForReply<GetHttpRequestByIdResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return httpRequest;
@@ -529,7 +569,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { httpResponse } = await this.#sendAndWaitForReply<SendHttpRequestResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return httpResponse;
@@ -540,7 +580,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { httpRequest } = await this.#sendAndWaitForReply<RenderHttpRequestResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return httpRequest;
@@ -553,7 +593,7 @@ export class PluginInstance {
            ...args,
          } as const;
          const { value } = await this.#sendAndWaitForReply<GetCookieValueResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return value;
@@ -561,7 +601,7 @@ export class PluginInstance {
        listNames: async () => {
          const payload = { type: 'list_cookie_names_request' } as const;
          const { names } = await this.#sendAndWaitForReply<ListCookieNamesResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return names;
@@ -575,7 +615,7 @@ export class PluginInstance {
        render: async (args) => {
          const payload = { type: 'template_render_request', ...args } as const;
          const result = await this.#sendAndWaitForReply<TemplateRenderResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return result.data as any;
@@ -585,7 +625,7 @@ export class PluginInstance {
        get: async <T>(key: string) => {
          const payload = { type: 'get_key_value_request', key } as const;
          const result = await this.#sendAndWaitForReply<GetKeyValueResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return result.value ? (JSON.parse(result.value) as T) : undefined;
@@ -597,17 +637,22 @@ export class PluginInstance {
            key,
            value: valueStr,
          };
-          await this.#sendAndWaitForReply<GetKeyValueResponse>(event.windowContext, payload);
+          await this.#sendAndWaitForReply<GetKeyValueResponse>(windowContext, payload);
        },
        delete: async (key: string) => {
          const payload = { type: 'delete_key_value_request', key } as const;
          const result = await this.#sendAndWaitForReply<DeleteKeyValueResponse>(
-            event.windowContext,
+            windowContext,
            payload,
          );
          return result.deleted;
        },
      },
+      plugin: {
+        reload: () => {
+          this.#sendPayload({ type: 'none' }, { type: 'reload_response', silent: true }, null);
+        },
+      },
    };
  }
 }
--- a/packages/plugin-runtime/src/index.ts
+++ b/packages/plugin-runtime/src/index.ts
@@ -8,10 +8,15 @@ if (!port) {
  throw new Error('Plugin runtime missing PORT')
 }

+const host = process.env.HOST;
+if (!host) {
+  throw new Error('Plugin runtime missing HOST')
+}
+
 const pluginToAppEvents = new EventChannel();
 const plugins: Record<string, PluginHandle> = {};

-const ws = new WebSocket(`ws://localhost:${port}`);
+const ws = new WebSocket(`ws://${host}:${port}`);

 ws.on('message', async (e: Buffer) => {
  try {
@@ -46,7 +51,7 @@ async function handleIncoming(msg: string) {
  }

  if (pluginEvent.payload.type === 'terminate_request') {
-    plugin.terminate();
+    await plugin.terminate();
    console.log('Terminated plugin worker', pluginEvent.pluginRefId);
    delete plugins[pluginEvent.pluginRefId];
  }
--- a/packages/plugin-runtime/src/migrations.ts
+++ b/packages/plugin-runtime/src/migrations.ts
@@ -1,6 +1,8 @@
-import { TemplateFunction } from '@yaakapp/api';
+import { TemplateFunctionPlugin } from '@yaakapp/api/lib/plugins/TemplateFunctionPlugin';

-export function migrateTemplateFunctionSelectOptions(f: TemplateFunction): TemplateFunction {
+export function migrateTemplateFunctionSelectOptions(
+  f: TemplateFunctionPlugin,
+): TemplateFunctionPlugin {
  const migratedArgs = f.args.map((a) => {
    if (a.type === 'select') {
      a.options = a.options.map((o) => ({
--- a/plugins/action-copy-curl/package.json
+++ b/plugins/action-copy-curl/package.json
@@ -12,6 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/action-copy-curl/src/index.ts
+++ b/plugins/action-copy-curl/src/index.ts
@@ -34,18 +34,38 @@ export async function convertToCurl(request: Partial<HttpRequest>) {
  let finalUrl = request.url || '';
  const urlParams = (request.urlParameters ?? []).filter(onlyEnabled);
  if (urlParams.length > 0) {
-    // Build url 
+    // Build url
    const [base, hash] = finalUrl.split('#');
    const separator = base!.includes('?') ? '&' : '?';
    const queryString = urlParams
-      .map(p => `${encodeURIComponent(p.name)}=${encodeURIComponent(p.value)}`)
+      .map((p) => `${encodeURIComponent(p.name)}=${encodeURIComponent(p.value)}`)
      .join('&');
    finalUrl = base + separator + queryString + (hash ? `#${hash}` : '');
  }
-  
+
+  // Add API key authentication
+  if (request.authenticationType === 'apikey') {
+    if (request.authentication?.location === 'query') {
+      const sep = finalUrl.includes('?') ? '&' : '?';
+      finalUrl = [
+        finalUrl,
+        sep,
+        encodeURIComponent(request.authentication?.key ?? 'token'),
+        '=',
+        encodeURIComponent(request.authentication?.value ?? ''),
+      ].join('');
+    } else {
+      request.headers = request.headers ?? [];
+      request.headers.push({
+        name: request.authentication?.key ?? 'X-Api-Key',
+        value: request.authentication?.value ?? '',
+      });
+    }
+  }
+
  xs.push(quote(finalUrl));
  xs.push(NEWLINE);
-  
+
  // Add headers
  for (const h of (request.headers ?? []).filter(onlyEnabled)) {
    xs.push('--header', quote(`${h.name}: ${h.value}`));
@@ -53,7 +73,11 @@ export async function convertToCurl(request: Partial<HttpRequest>) {
  }

  // Add form params
-  if (Array.isArray(request.body?.form)) {
+  const type = request.bodyType ?? 'none';
+  if (
+    (type === 'multipart/form-data' || type === 'application/x-www-form-urlencoded') &&
+    Array.isArray(request.body?.form)
+  ) {
    const flag = request.bodyType === 'multipart/form-data' ? '--form' : '--data';
    for (const p of (request.body?.form ?? []).filter(onlyEnabled)) {
      if (p.file) {
@@ -65,32 +89,62 @@ export async function convertToCurl(request: Partial<HttpRequest>) {
      }
      xs.push(NEWLINE);
    }
-  } else if (typeof request.body?.query === 'string') {
+  } else if (type === 'graphql' && typeof request.body?.query === 'string') {
    const body = {
      query: request.body.query || '',
      variables: maybeParseJSON(request.body.variables, undefined),
    };
    xs.push('--data', quote(JSON.stringify(body)));
    xs.push(NEWLINE);
-  } else if (typeof request.body?.text === 'string') {
+  } else if (type !== 'none' && typeof request.body?.text === 'string') {
    xs.push('--data', quote(request.body.text));
    xs.push(NEWLINE);
  }

  // Add basic/digest authentication
-  if (request.authenticationType === 'basic' || request.authenticationType === 'digest') {
-    if (request.authenticationType === 'digest') xs.push('--digest');
-    xs.push(
-      '--user',
-      quote(`${request.authentication?.username ?? ''}:${request.authentication?.password ?? ''}`),
-    );
-    xs.push(NEWLINE);
-  }
+  if (request.authentication?.disabled !== true) {
+    if (request.authenticationType === 'basic' || request.authenticationType === 'digest') {
+      if (request.authenticationType === 'digest') xs.push('--digest');
+      xs.push(
+        '--user',
+        quote(
+          `${request.authentication?.username ?? ''}:${request.authentication?.password ?? ''}`,
+        ),
+      );
+      xs.push(NEWLINE);
+    }

-  // Add bearer authentication
-  if (request.authenticationType === 'bearer') {
-    xs.push('--header', quote(`Authorization: Bearer ${request.authentication?.token ?? ''}`));
-    xs.push(NEWLINE);
+    // Add bearer authentication
+    if (request.authenticationType === 'bearer') {
+      const value =
+        `${request.authentication?.prefix ?? 'Bearer'} ${request.authentication?.token ?? ''}`.trim();
+      xs.push('--header', quote(`Authorization: ${value}`));
+      xs.push(NEWLINE);
+    }
+
+    if (request.authenticationType === 'auth-aws-sig-v4') {
+      xs.push(
+        '--aws-sigv4',
+        [
+          'aws',
+          'amz',
+          request.authentication?.region ?? '',
+          request.authentication?.service ?? '',
+        ].join(':'),
+      );
+      xs.push(NEWLINE);
+      xs.push(
+        '--user',
+        quote(
+          `${request.authentication?.accessKeyId ?? ''}:${request.authentication?.secretAccessKey ?? ''}`,
+        ),
+      );
+      if (request.authentication?.sessionToken) {
+        xs.push(NEWLINE);
+        xs.push('--header', quote(`X-Amz-Security-Token: ${request.authentication.sessionToken}`));
+      }
+      xs.push(NEWLINE);
+    }
  }

  // Remove trailing newline
@@ -116,4 +170,4 @@ function maybeParseJSON<T>(v: string, fallback: T) {
  } catch {
    return fallback;
  }
-}
+}
--- a/plugins/action-copy-curl/tests/index.test.ts
+++ b/plugins/action-copy-curl/tests/index.test.ts
@@ -12,9 +12,7 @@ describe('exporter-curl', () => {
          { name: 'c', value: 'ccc', enabled: false },
        ],
      }),
-    ).toEqual(
-      [`curl 'https://yaak.app/?a=aaa&b=bbb'`].join(` \\n  `),
-    );
+    ).toEqual([`curl 'https://yaak.app?a=aaa&b=bbb'`].join(` \\n  `));
  });

  test('Exports GET with params and hash', async () => {
@@ -27,10 +25,9 @@ describe('exporter-curl', () => {
          { name: 'c', value: 'ccc', enabled: false },
        ],
      }),
-    ).toEqual(
-      [`curl 'https://yaak.app/path?a=aaa&b=bbb#section'`].join(` \\n  `),
-    );
+    ).toEqual([`curl 'https://yaak.app/path?a=aaa&b=bbb#section'`].join(` \\n  `));
  });
+
  test('Exports POST with url form data', async () => {
    expect(
      await convertToCurl({
@@ -62,7 +59,10 @@ describe('exporter-curl', () => {
        },
      }),
    ).toEqual(
-      [`curl -X POST 'https://yaak.app'`, `--data '{"query":"{foo,bar}","variables":{"a":"aaa","b":"bbb"}}'`].join(` \\\n  `),
+      [
+        `curl -X POST 'https://yaak.app'`,
+        `--data '{"query":"{foo,bar}","variables":{"a":"aaa","b":"bbb"}}'`,
+      ].join(` \\\n  `),
    );
  });

@@ -171,6 +171,20 @@ describe('exporter-curl', () => {
    ).toEqual([`curl 'https://yaak.app'`, `--user 'user:pass'`].join(` \\\n  `));
  });

+  test('Basic auth disabled', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'basic',
+        authentication: {
+          disabled: true,
+          username: 'user',
+          password: 'pass',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`].join(` \\\n  `));
+  });
+
  test('Broken basic auth', async () => {
    expect(
      await convertToCurl({
@@ -206,6 +220,34 @@ describe('exporter-curl', () => {
    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: Bearer tok'`].join(` \\\n  `));
  });

+  test('Bearer auth with custom prefix', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          token: 'abc123',
+          prefix: 'Token',
+        },
+      }),
+    ).toEqual(
+      [`curl 'https://yaak.app'`, `--header 'Authorization: Token abc123'`].join(` \\\n  `),
+    );
+  });
+
+  test('Bearer auth with empty prefix', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'bearer',
+        authentication: {
+          token: 'xyz789',
+          prefix: '',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: xyz789'`].join(` \\\n  `));
+  });
+
  test('Broken bearer auth', async () => {
    expect(
      await convertToCurl({
@@ -216,6 +258,157 @@ describe('exporter-curl', () => {
          password: 'pass',
        },
      }),
-    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: Bearer '`].join(` \\\n  `));
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'Authorization: Bearer'`].join(` \\\n  `));
  });
-});
+
+  test('AWS v4 auth', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'auth-aws-sig-v4',
+        authentication: {
+          accessKeyId: 'ak',
+          secretAccessKey: 'sk',
+          sessionToken: '',
+          region: 'us-east-1',
+          service: 's3',
+        },
+      }),
+    ).toEqual(
+      [`curl 'https://yaak.app'`, `--aws-sigv4 aws:amz:us-east-1:s3`, `--user 'ak:sk'`].join(
+        ` \\\n  `,
+      ),
+    );
+  });
+
+  test('AWS v4 auth with session', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'auth-aws-sig-v4',
+        authentication: {
+          accessKeyId: 'ak',
+          secretAccessKey: 'sk',
+          sessionToken: 'st',
+          region: 'us-east-1',
+          service: 's3',
+        },
+      }),
+    ).toEqual(
+      [
+        `curl 'https://yaak.app'`,
+        `--aws-sigv4 aws:amz:us-east-1:s3`,
+        `--user 'ak:sk'`,
+        `--header 'X-Amz-Security-Token: st'`,
+      ].join(` \\\n  `),
+    );
+  });
+
+  test('API key auth header', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'header',
+          key: 'X-Header',
+          value: 'my-token',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'X-Header: my-token'`].join(` \\\n  `));
+  });
+
+  test('API key auth header query', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?hi=there',
+        urlParameters: [{ name: 'param', value: 'hi' }],
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?hi=there&param=hi&foo=bar'`].join(` \\\n  `));
+  });
+
+  test('API key auth header query with params', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        urlParameters: [{ name: 'param', value: 'hi' }],
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?param=hi&foo=bar'`].join(` \\\n  `));
+  });
+
+  test('API key auth header default', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'header',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`, `--header 'X-Api-Key: '`].join(` \\\n  `));
+  });
+
+  test('API key auth query', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'foo',
+          value: 'bar-baz',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar-baz'`].join(` \\\n  `));
+  });
+
+  test('API key auth query with existing', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?foo=bar&baz=qux',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+          key: 'hi',
+          value: 'there',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar&baz=qux&hi=there'`].join(` \\\n  `));
+  });
+
+  test('API key auth query default', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app?foo=bar&baz=qux',
+        authenticationType: 'apikey',
+        authentication: {
+          location: 'query',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app?foo=bar&baz=qux&token='`].join(` \\\n  `));
+  });
+
+  test('Stale body data', async () => {
+    expect(
+      await convertToCurl({
+        url: 'https://yaak.app',
+        bodyType: 'none',
+        body: {
+          text: 'ignore me',
+        },
+      }),
+    ).toEqual([`curl 'https://yaak.app'`].join(` \\\n  `));
+  });
+});
--- a/plugins/action-copy-grpcurl/package.json
+++ b/plugins/action-copy-grpcurl/package.json
@@ -12,6 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/action-copy-grpcurl/src/index.ts
+++ b/plugins/action-copy-grpcurl/src/index.ts
@@ -41,8 +41,8 @@ export async function convert(request: Partial<GrpcRequest>, allProtoFiles: stri
    if (protoDir) {
      inferredIncludes.add(protoDir);
    } else {
-      inferredIncludes.add(path.join(f, '..'));
-      inferredIncludes.add(path.join(f, '..', '..'));
+      inferredIncludes.add(path.posix.join(f, '..'));
+      inferredIncludes.add(path.posix.join(f, '..', '..'));
    }
  }

@@ -68,16 +68,37 @@ export async function convert(request: Partial<GrpcRequest>, allProtoFiles: stri
  }

  // Add basic authentication
-  if (request.authenticationType === 'basic') {
-    const user = request.authentication?.username ?? '';
-    const pass = request.authentication?.password ?? '';
-    const encoded = btoa(`${user}:${pass}`);
-    xs.push('-H', quote(`Authorization: Basic ${encoded}`));
-    xs.push(NEWLINE);
-  } else if (request.authenticationType === 'bearer') {
-    // Add bearer authentication
-    xs.push('-H', quote(`Authorization: Bearer ${request.authentication?.token ?? ''}`));
-    xs.push(NEWLINE);
+  if (request.authentication?.disabled !== true) {
+    if (request.authenticationType === 'basic') {
+      const user = request.authentication?.username ?? '';
+      const pass = request.authentication?.password ?? '';
+      const encoded = btoa(`${user}:${pass}`);
+      xs.push('-H', quote(`Authorization: Basic ${encoded}`));
+      xs.push(NEWLINE);
+    } else if (request.authenticationType === 'bearer') {
+      // Add bearer authentication
+      xs.push('-H', quote(`Authorization: Bearer ${request.authentication?.token ?? ''}`));
+      xs.push(NEWLINE);
+    } else if (request.authenticationType === 'apikey') {
+      if (request.authentication?.location === 'query') {
+        const sep = request.url?.includes('?') ? '&' : '?';
+        request.url = [
+          request.url,
+          sep,
+          encodeURIComponent(request.authentication?.key ?? 'token'),
+          '=',
+          encodeURIComponent(request.authentication?.value ?? ''),
+        ].join('');
+      } else {
+        xs.push(
+          '-H',
+          quote(
+            `${request.authentication?.key ?? 'X-Api-Key'}: ${request.authentication?.value ?? ''}`,
+          ),
+        );
+      }
+      xs.push(NEWLINE);
+    }
  }

  // Add form params
--- a/plugins/action-copy-grpcurl/tests/index.test.ts
+++ b/plugins/action-copy-grpcurl/tests/index.test.ts
@@ -27,6 +27,55 @@ describe('exporter-curl', () => {
      ),
    ).toEqual([`grpcurl -H 'aaa: AAA'`, `-H 'bbb: BBB'`, `yaak.app`].join(` \\\n  `));
  });
+  test('Basic auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'basic',
+          authentication: {
+            username: 'user',
+            password: 'pass',
+          },
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl -H 'Authorization: Basic dXNlcjpwYXNz'`, `yaak.app`].join(` \\\n  `));
+  });
+
+  test('API key auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'apikey',
+          authentication: {
+            key: 'X-Token',
+            value: 'tok',
+          },
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl -H 'X-Token: tok'`, `yaak.app`].join(` \\\n  `));
+  });
+
+  test('API key auth', async () => {
+    expect(
+      await convert(
+        {
+          url: 'https://yaak.app',
+          authenticationType: 'apikey',
+          authentication: {
+            location: 'query',
+            key: 'token',
+            value: 'tok 1',
+          },
+        },
+        [],
+      ),
+    ).toEqual([`grpcurl`, `yaak.app?token=tok%201`].join(` \\\n  `));
+  });
+
  test('Single proto file', async () => {
    expect(await convert({ url: 'https://yaak.app' }, ['/foo/bar/baz.proto'])).toEqual(
      [
--- a/plugins/auth-apikey/package.json
+++ b/plugins/auth-apikey/package.json
@@ -12,6 +12,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/auth-aws/README.md
+++ b/plugins/auth-aws/README.md
@@ -0,0 +1,49 @@
+# AWS Signature Version 4 Auth
+
+A plugin for authenticating AWS-compatible requests using the
+[AWS Signature Version 4 signing process](https://docs.aws.amazon.com/general/latest/gr/signature-version-4.html).  
+This enables secure, signed requests to AWS services (or any S3-compatible APIs like
+Cloudflare R2).
+
+![Screenshot of AWS SigV4 UI](screenshot.png)
+
+## Overview
+
+This plugin provides AWS Signature authentication for API requests in Yaak. SigV4 is used
+by nearly all AWS APIs to verify the authenticity and integrity of requests using
+cryptographic signatures.
+
+With this plugin, you can securely sign requests to AWS services such as S3, STS, Lambda,
+API Gateway, DynamoDB, and more. You can also authenticate against S3-compatible services
+like **Cloudflare R2**, **MinIO**, or **Wasabi**.
+
+## How AWS Signature Version 4 Works
+
+SigV4 signs requests by creating a hash of key request components (method, URL, headers,
+and optionally the payload) using your AWS credentials. The resulting HMAC signature is
+added in the `Authorization` header along with credential scope metadata.
+
+Example header:
+
+```
+Authorization: AWS4-HMAC-SHA256 Credential=AKIA…/20251011/us-east-1/s3/aws4_request, SignedHeaders=host;x-amz-date, Signature=abcdef123456…
+```
+
+Each request must include a timestamp (`X-Amz-Date`) and may include a session token if
+using temporary credentials.
+
+## Configuration
+
+The plugin presents the following fields:
+
+- **Access Key ID** – Your AWS access key identifier
+- **Secret Access Key** – The secret associated with the access key
+- **Session Token** *(optional)* – Used for temporary or assumed-role credentials (treated as secret)
+- **Region** – AWS region (e.g., `us-east-1`)
+- **Service** – AWS service identifier (e.g., `sts`, `s3`, `execute-api`)
+
+## Usage
+
+1. Configure a request, folder, or workspace to use **AWS SigV4 Authentication**
+2. Enter your AWS credentials and target service/region
+3. The plugin will automatically sign outgoing requests with valid SigV4 headers
--- a/plugins/auth-aws/package.json
+++ b/plugins/auth-aws/package.json
@@ -0,0 +1,23 @@
+{
+  "name": "@yaak/auth-aws",
+  "displayName": "AWS SigV4",
+  "description": "Authenticate requests using AWS SigV4 signing",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-aws"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx"
+  },
+  "dependencies": {
+    "aws4": "^1.13.2"
+  },
+  "devDependencies": {
+    "@types/aws4": "^1.11.6"
+  }
+}
--- a/plugins/auth-aws/screenshot.png
+++ b/plugins/auth-aws/screenshot.png
--- a/plugins/auth-aws/src/index.ts
+++ b/plugins/auth-aws/src/index.ts
@@ -0,0 +1,96 @@
+import type { CallHttpAuthenticationResponse } from '@yaakapp-internal/plugins';
+import type { PluginDefinition } from '@yaakapp/api';
+import aws4 from 'aws4';
+import type { Request } from 'aws4';
+import { URL } from 'node:url';
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'awsv4',
+    label: 'AWS Signature',
+    shortLabel: 'AWS v4',
+    args: [
+      { name: 'accessKeyId', label: 'Access Key ID', type: 'text', password: true },
+      {
+        name: 'secretAccessKey',
+        label: 'Secret Access Key',
+        type: 'text',
+        password: true,
+      },
+      {
+        name: 'service',
+        label: 'Service Name',
+        type: 'text',
+        defaultValue: 'sts',
+        placeholder: 'sts',
+        description: 'The service that is receiving the request (sts, s3, sqs, ...)',
+      },
+      {
+        name: 'region',
+        label: 'Region',
+        type: 'text',
+        placeholder: 'us-east-1',
+        description: 'The region that is receiving the request (defaults to us-east-1)',
+        optional: true,
+      },
+      {
+        name: 'sessionToken',
+        label: 'Session Token',
+        type: 'text',
+        password: true,
+        optional: true,
+        description: 'Only required if you are using temporary credentials',
+      },
+    ],
+    onApply(_ctx, { values, ...args }): CallHttpAuthenticationResponse {
+      const accessKeyId = String(values.accessKeyId || '');
+      const secretAccessKey = String(values.secretAccessKey || '');
+      const sessionToken = String(values.sessionToken || '') || undefined;
+
+      const url = new URL(args.url);
+
+      const headers: NonNullable<Request['headers']> = {};
+      for (const headerName of ['content-type', 'host', 'x-amz-date', 'x-amz-security-token']) {
+        const v = args.headers.find((h) => h.name.toLowerCase() === headerName);
+        if (v != null) {
+          headers[headerName] = v.value;
+        }
+      }
+
+      if (args.method !== 'GET') {
+        headers['x-amz-content-sha256'] = 'UNSIGNED-PAYLOAD';
+      }
+
+      const signature = aws4.sign(
+        {
+          host: url.host,
+          method: args.method,
+          path: url.pathname + (url.search || ''),
+          service: String(values.service || 'sts'),
+          region: values.region ? String(values.region) : undefined,
+          headers,
+        },
+        {
+          accessKeyId,
+          secretAccessKey,
+          sessionToken,
+        },
+      );
+
+      // After signing, aws4 will set:
+      //  - opts.headers["Authorization"]
+      //  - opts.headers["X-Amz-Date"]
+      //  - optionally content sha256 header etc
+
+      if (signature.headers == null) {
+        return {};
+      }
+
+      return {
+        setHeaders: Object.entries(signature.headers)
+          .filter(([name]) => name !== 'content-type') // Don't add this because we already have it
+          .map(([name, value]) => ({ name, value: String(value || '') })),
+      };
+    },
+  },
+};
--- a/plugins/auth-aws/tsconfig.json
+++ b/plugins/auth-aws/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
--- a/plugins/auth-basic/package.json
+++ b/plugins/auth-basic/package.json
@@ -12,6 +12,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/auth-bearer/package.json
+++ b/plugins/auth-bearer/package.json
@@ -12,6 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/auth-jwt/package.json
+++ b/plugins/auth-jwt/package.json
@@ -12,7 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "jsonwebtoken": "^9.0.2"
--- a/plugins/auth-jwt/src/index.ts
+++ b/plugins/auth-jwt/src/index.ts
@@ -46,6 +46,50 @@ export const plugin: PluginDefinition = {
        name: 'secretBase64',
        label: 'Secret is base64 encoded',
      },
+      {
+        type: 'select',
+        name: 'location',
+        label: 'Behavior',
+        defaultValue: 'header',
+        options: [
+          { label: 'Insert Header', value: 'header' },
+          { label: 'Append Query Parameter', value: 'query' },
+        ],
+      },
+      {
+        type: 'text',
+        name: 'name',
+        label: 'Header Name',
+        defaultValue: 'Authorization',
+        optional: true,
+        dynamic(_ctx, args) {
+          if (args.values.location === 'query') {
+            return {
+              label: 'Parameter Name',
+              description: 'The name of the query parameter to add to the request',
+            };
+          } else {
+            return {
+              label: 'Header Name',
+              description: 'The name of the header to add to the request',
+            };
+          }
+        },
+      },
+      {
+        type: 'text',
+        name: 'headerPrefix',
+        label: 'Header Prefix',
+        optional: true,
+        defaultValue: 'Bearer',
+        dynamic(_ctx, args) {
+          if (args.values.location === 'query') {
+            return {
+              hidden: true,
+            };
+          }
+        },
+      },
      {
        type: 'editor',
        name: 'payload',
@@ -61,8 +105,17 @@ export const plugin: PluginDefinition = {
      const token = jwt.sign(`${payload}`, secret, {
        algorithm: algorithm as (typeof algorithms)[number],
      });
-      const value = `Bearer ${token}`;
-      return { setHeaders: [{ name: 'Authorization', value }] };
+
+      if (values.location === 'query') {
+        const paramName = String(values.name || 'token');
+        const paramValue = String(values.value || '');
+        return { setQueryParameters: [{ name: paramName, value: paramValue }] };
+      } else {
+        const headerPrefix = values.headerPrefix != null ? values.headerPrefix : 'Bearer';
+        const headerName = String(values.name || 'Authorization');
+        const headerValue = `${headerPrefix} ${token}`.trim();
+        return { setHeaders: [{ name: headerName, value: headerValue }] };
+      }
    },
  },
 };
--- a/plugins/auth-oauth1/package.json
+++ b/plugins/auth-oauth1/package.json
@@ -0,0 +1,20 @@
+{
+  "name": "@yaak/auth-oauth1",
+  "displayName": "OAuth 1.0",
+  "description": "Authenticate requests using OAuth 1.0a",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/mountain-loop/yaak.git",
+    "directory": "plugins/auth-oauth1"
+  },
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx"
+  },
+  "dependencies": {
+    "oauth-1.0a": "^2.2.6"
+  }
+}
--- a/plugins/auth-oauth1/src/index.ts
+++ b/plugins/auth-oauth1/src/index.ts
@@ -0,0 +1,197 @@
+import type { Context, GetHttpAuthenticationConfigRequest, PluginDefinition } from '@yaakapp/api';
+import crypto from 'node:crypto';
+import OAuth from 'oauth-1.0a';
+
+const signatures = {
+  HMAC_SHA1: 'HMAC-SHA1',
+  HMAC_SHA256: 'HMAC-SHA256',
+  HMAC_SHA512: 'HMAC-SHA512',
+  RSA_SHA1: 'RSA-SHA1',
+  RSA_SHA256: 'RSA-SHA256',
+  RSA_SHA512: 'RSA-SHA512',
+  PLAINTEXT: 'PLAINTEXT',
+} as const;
+const defaultSig = signatures.HMAC_SHA1;
+
+const pkSigs = Object.values(signatures).filter((k) => k.startsWith('RSA-'));
+const nonPkSigs = Object.values(signatures).filter((k) => !pkSigs.includes(k));
+
+type SigMethod = (typeof signatures)[keyof typeof signatures];
+
+function hiddenIfNot(
+  sigMethod: SigMethod[],
+  ...other: ((values: GetHttpAuthenticationConfigRequest['values']) => boolean)[]
+) {
+  return (_ctx: Context, { values }: GetHttpAuthenticationConfigRequest) => {
+    const hasGrantType = sigMethod.find((t) => t === String(values.signatureMethod ?? defaultSig));
+    const hasOtherBools = other.every((t) => t(values));
+    const show = hasGrantType && hasOtherBools;
+    return { hidden: !show };
+  };
+}
+
+export const plugin: PluginDefinition = {
+  authentication: {
+    name: 'oauth1',
+    label: 'OAuth 1.0',
+    shortLabel: 'OAuth 1',
+    args: [
+      {
+        name: 'signatureMethod',
+        label: 'Signature Method',
+        type: 'select',
+        defaultValue: defaultSig,
+        options: Object.values(signatures).map((v) => ({ label: v, value: v })),
+      },
+      { name: 'consumerKey', label: 'Consumer Key', type: 'text', password: true, optional: true },
+      {
+        name: 'consumerSecret',
+        label: 'Consumer Secret',
+        type: 'text',
+        password: true,
+        optional: true,
+      },
+      {
+        name: 'tokenKey',
+        label: 'Access Token',
+        type: 'text',
+        password: true,
+        optional: true,
+      },
+      {
+        name: 'tokenSecret',
+        label: 'Token Secret',
+        type: 'text',
+        password: true,
+        optional: true,
+        dynamic: hiddenIfNot(nonPkSigs),
+      },
+      {
+        name: 'privateKey',
+        label: 'Private Key (RSA-SHA1)',
+        type: 'text',
+        multiLine: true,
+        optional: true,
+        password: true,
+        placeholder:
+          '-----BEGIN RSA PRIVATE KEY-----\nPrivate key in PEM format\n-----END RSA PRIVATE KEY-----',
+        dynamic: hiddenIfNot(pkSigs),
+      },
+      {
+        type: 'accordion',
+        label: 'Advanced',
+        inputs: [
+          { name: 'callback', label: 'Callback Url', type: 'text', optional: true },
+          { name: 'verifier', label: 'Verifier', type: 'text', optional: true, password: true },
+          { name: 'timestamp', label: 'Timestamp', type: 'text', optional: true },
+          { name: 'nonce', label: 'Nonce', type: 'text', optional: true },
+          {
+            name: 'version',
+            label: 'OAuth Version',
+            type: 'text',
+            optional: true,
+            defaultValue: '1.0',
+          },
+          { name: 'realm', label: 'Realm', type: 'text', optional: true },
+        ],
+      },
+    ],
+
+    onApply(
+      _ctx,
+      { values, method, url },
+    ): {
+      setHeaders?: { name: string; value: string }[];
+      setQueryParameters?: { name: string; value: string }[];
+    } {
+      const consumerKey = String(values.consumerKey || '');
+      const consumerSecret = String(values.consumerSecret || '');
+
+      const signatureMethod = String(values.signatureMethod || signatures.HMAC_SHA1) as SigMethod;
+      const version = String(values.version || '1.0');
+      const realm = String(values.realm || '') || undefined;
+
+      const oauth = new OAuth({
+        consumer: { key: consumerKey, secret: consumerSecret },
+        signature_method: signatureMethod,
+        version,
+        hash_function: hashFunction(signatureMethod),
+        realm,
+      });
+
+      if (pkSigs.includes(signatureMethod)) {
+        oauth.getSigningKey = (tokenSecret?: string) => tokenSecret || '';
+      }
+
+      const requestUrl = new URL(url);
+
+      // Base request options passed to oauth-1.0a
+      const requestData: Omit<OAuth.RequestOptions, 'data'> & {
+        data: Record<string, string | string[]>;
+      } = {
+        method,
+        url: requestUrl.toString(),
+        includeBodyHash: false,
+        data: {},
+      };
+
+      // (1) Include existing query params in signature base string
+      for (const key of requestUrl.searchParams.keys()) {
+        if (key.startsWith('oauth_')) continue;
+        const all = requestUrl.searchParams.getAll(key);
+        requestData.data[key] = all.length > 1 ? all : all[0]!;
+      }
+
+      // (2) Manual oauth_* overrides
+      if (values.callback) requestData.data.oauth_callback = String(values.callback);
+      if (values.nonce) requestData.data.oauth_nonce = String(values.nonce);
+      if (values.timestamp) requestData.data.oauth_timestamp = String(values.timestamp);
+      if (values.verifier) requestData.data.oauth_verifier = String(values.verifier);
+
+      let token: OAuth.Token | { key: string } | undefined;
+
+      if (pkSigs.includes(signatureMethod)) {
+        token = {
+          key: String(values.tokenKey || ''),
+          secret: String(values.privateKey || ''),
+        };
+      } else if (values.tokenKey && values.tokenSecret) {
+        token = { key: String(values.tokenKey), secret: String(values.tokenSecret) };
+      } else if (values.tokenKey) {
+        token = { key: String(values.tokenKey) };
+      }
+
+      const authParams = oauth.authorize(requestData, token as OAuth.Token | undefined);
+      const { Authorization } = oauth.toHeader(authParams);
+      return { setHeaders: [{ name: 'Authorization', value: Authorization }] };
+    },
+  },
+};
+
+function hashFunction(signatureMethod: SigMethod) {
+  switch (signatureMethod) {
+    case signatures.HMAC_SHA1:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha1', key).update(base).digest('base64');
+    case signatures.HMAC_SHA256:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha256', key).update(base).digest('base64');
+    case signatures.HMAC_SHA512:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha512', key).update(base).digest('base64');
+    case signatures.RSA_SHA1:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA1').update(base).sign(privateKey, 'base64');
+    case signatures.RSA_SHA256:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA256').update(base).sign(privateKey, 'base64');
+    case signatures.RSA_SHA512:
+      return (base: string, privateKey: string) =>
+        crypto.createSign('RSA-SHA512').update(base).sign(privateKey, 'base64');
+    case signatures.PLAINTEXT:
+      return (base: string) => base;
+    default:
+      return (base: string, key: string) =>
+        crypto.createHmac('sha1', key).update(base).digest('base64');
+  }
+}
--- a/plugins/auth-oauth1/tsconfig.json
+++ b/plugins/auth-oauth1/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
--- a/plugins/auth-oauth2/package.json
+++ b/plugins/auth-oauth2/package.json
@@ -12,6 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/auth-oauth2/src/getAccessTokenIfNotExpired.ts
+++ b/plugins/auth-oauth2/src/getAccessTokenIfNotExpired.ts
@@ -1,19 +0,0 @@
-import type { Context } from '@yaakapp/api';
-import type { AccessToken } from './store';
-import { getToken } from './store';
-
-export async function getAccessTokenIfNotExpired(
-  ctx: Context,
-  contextId: string,
-): Promise<AccessToken | null> {
-  const token = await getToken(ctx, contextId);
-  if (token == null || isTokenExpired(token)) {
-    return null;
-  }
-
-  return token;
-}
-
-export function isTokenExpired(token: AccessToken) {
-  return token.expiresAt && Date.now() > token.expiresAt;
-}
--- a/plugins/auth-oauth2/src/getOrRefreshAccessToken.ts
+++ b/plugins/auth-oauth2/src/getOrRefreshAccessToken.ts
@@ -1,12 +1,12 @@
 import type { Context, HttpRequest } from '@yaakapp/api';
 import { readFileSync } from 'node:fs';
-import { isTokenExpired } from './getAccessTokenIfNotExpired';
-import type { AccessToken, AccessTokenRawResponse } from './store';
+import type { AccessToken, AccessTokenRawResponse, TokenStoreArgs } from './store';
 import { deleteToken, getToken, storeToken } from './store';
+import { isTokenExpired } from './util';

 export async function getOrRefreshAccessToken(
  ctx: Context,
-  contextId: string,
+  tokenArgs: TokenStoreArgs,
  {
    scope,
    accessTokenUrl,
@@ -23,7 +23,7 @@ export async function getOrRefreshAccessToken(
    forceRefresh?: boolean;
  },
 ): Promise<AccessToken | null> {
-  const token = await getToken(ctx, contextId);
+  const token = await getToken(ctx, tokenArgs);
  if (token == null) {
    return null;
  }
@@ -75,7 +75,7 @@ export async function getOrRefreshAccessToken(
    // Bad refresh token, so we'll force it to fetch a fresh access token by deleting
    // and returning null;
    console.log('[oauth2] Unauthorized refresh_token request');
-    await deleteToken(ctx, contextId);
+    await deleteToken(ctx, tokenArgs);
    return null;
  }

@@ -108,5 +108,5 @@ export async function getOrRefreshAccessToken(
    refresh_token: response.refresh_token ?? token.response.refresh_token,
  };

-  return storeToken(ctx, contextId, newResponse);
+  return storeToken(ctx, tokenArgs, newResponse);
 }
--- a/plugins/auth-oauth2/src/grants/authorizationCode.ts
+++ b/plugins/auth-oauth2/src/grants/authorizationCode.ts
@@ -2,8 +2,9 @@ import type { Context } from '@yaakapp/api';
 import { createHash, randomBytes } from 'node:crypto';
 import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import type { AccessToken } from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
 import { getDataDirKey, storeToken } from '../store';
+import { extractCode } from '../util';

 export const PKCE_SHA256 = 'S256';
 export const PKCE_PLAIN = 'plain';
@@ -41,7 +42,14 @@ export async function getAuthorizationCode(
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: authorizationUrlRaw,
+  };
+
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -72,7 +80,6 @@ export async function getAuthorizationCode(
    authorizationUrl.searchParams.set('code_challenge_method', pkce.challengeMethod);
  }

-  const logsEnabled = (await ctx.store.get('enable_logs')) ?? false;
  const dataDirKey = await getDataDirKey(ctx, contextId);
  const authorizationUrlStr = authorizationUrl.toString();
  console.log('[oauth2] Authorizing', authorizationUrlStr);
@@ -81,27 +88,26 @@ export async function getAuthorizationCode(
  const code = await new Promise<string>(async (resolve, reject) => {
    let foundCode = false;
    const { close } = await ctx.window.openUrl({
+      dataDirKey,
      url: authorizationUrlStr,
      label: 'oauth-authorization-url',
-      dataDirKey,
      async onClose() {
        if (!foundCode) {
          reject(new Error('Authorization window closed'));
        }
      },
      async onNavigate({ url: urlStr }) {
-        const url = new URL(urlStr);
-        if (logsEnabled) console.log('[oauth2] Navigated to', urlStr);
-
-        if (url.searchParams.has('error')) {
+        let code;
+        try {
+          code = extractCode(urlStr, redirectUri);
+        } catch (err) {
+          reject(err);
          close();
-          return reject(new Error(`Failed to authorize: ${url.searchParams.get('error')}`));
+          return;
        }

-        const code = url.searchParams.get('code');
        if (!code) {
-          console.log('[oauth2] Code not found');
-          return; // Could be one of many redirects in a chain, so skip it
+          return;
        }

        // Close the window here, because we don't need it anymore!
@@ -128,7 +134,7 @@ export async function getAuthorizationCode(
    ],
  });

-  return storeToken(ctx, contextId, response, tokenName);
+  return storeToken(ctx, tokenArgs, response, tokenName);
 }

 export function genPkceCodeVerifier() {
--- a/plugins/auth-oauth2/src/grants/clientCredentials.ts
+++ b/plugins/auth-oauth2/src/grants/clientCredentials.ts
@@ -1,7 +1,8 @@
 import type { Context } from '@yaakapp/api';
 import { fetchAccessToken } from '../fetchAccessToken';
-import { isTokenExpired } from '../getAccessTokenIfNotExpired';
+import type { TokenStoreArgs } from '../store';
 import { getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

 export async function getClientCredentials(
  ctx: Context,
@@ -22,7 +23,13 @@ export async function getClientCredentials(
    credentialsInBody: boolean;
  },
 ) {
-  const token = await getToken(ctx, contextId);
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getToken(ctx, tokenArgs);
  if (token && !isTokenExpired(token)) {
    return token;
  }
@@ -38,5 +45,5 @@ export async function getClientCredentials(
    params: [],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }
--- a/plugins/auth-oauth2/src/grants/implicit.ts
+++ b/plugins/auth-oauth2/src/grants/implicit.ts
@@ -1,7 +1,7 @@
 import type { Context } from '@yaakapp/api';
-import { isTokenExpired } from '../getAccessTokenIfNotExpired';
 import type { AccessToken, AccessTokenRawResponse} from '../store';
-import { getToken, storeToken } from '../store';
+import  { getDataDirKey , getToken, storeToken } from '../store';
+import { isTokenExpired } from '../util';

 export async function getImplicit(
  ctx: Context,
@@ -26,7 +26,13 @@ export async function getImplicit(
    tokenName: 'access_token' | 'id_token';
  },
 ): Promise<AccessToken> {
-  const token = await getToken(ctx, contextId);
+  const tokenArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl: null,
+    authorizationUrl: authorizationUrlRaw,
+  };
+  const token = await getToken(ctx, tokenArgs);
  if (token != null && !isTokenExpired(token)) {
    return token;
  }
@@ -54,7 +60,9 @@ export async function getImplicit(
  const newToken = await new Promise<AccessToken>(async (resolve, reject) => {
    let foundAccessToken = false;
    const authorizationUrlStr = authorizationUrl.toString();
+    const dataDirKey = await getDataDirKey(ctx, contextId);
    const { close } = await ctx.window.openUrl({
+      dataDirKey,
      url: authorizationUrlStr,
      label: 'oauth-authorization-url',
      async onClose() {
@@ -82,7 +90,7 @@ export async function getImplicit(

        const response = Object.fromEntries(params) as unknown as AccessTokenRawResponse;
        try {
-          resolve(storeToken(ctx, contextId, response));
+          resolve(storeToken(ctx, tokenArgs, response));
        } catch (err) {
          reject(err);
        }
--- a/plugins/auth-oauth2/src/grants/password.ts
+++ b/plugins/auth-oauth2/src/grants/password.ts
@@ -1,7 +1,7 @@
 import type { Context } from '@yaakapp/api';
 import { fetchAccessToken } from '../fetchAccessToken';
 import { getOrRefreshAccessToken } from '../getOrRefreshAccessToken';
-import type { AccessToken} from '../store';
+import type { AccessToken, TokenStoreArgs } from '../store';
 import { storeToken } from '../store';

 export async function getPassword(
@@ -27,7 +27,13 @@ export async function getPassword(
    credentialsInBody: boolean;
  },
 ): Promise<AccessToken> {
-  const token = await getOrRefreshAccessToken(ctx, contextId, {
+  const tokenArgs: TokenStoreArgs = {
+    contextId,
+    clientId,
+    accessTokenUrl,
+    authorizationUrl: null,
+  };
+  const token = await getOrRefreshAccessToken(ctx, tokenArgs, {
    accessTokenUrl,
    scope,
    clientId,
@@ -52,5 +58,5 @@ export async function getPassword(
    ],
  });

-  return storeToken(ctx, contextId, response);
+  return storeToken(ctx, tokenArgs, response);
 }
--- a/plugins/auth-oauth2/src/index.ts
+++ b/plugins/auth-oauth2/src/index.ts
@@ -6,8 +6,8 @@ import type {
  PluginDefinition,
 } from '@yaakapp/api';
 import {
-  genPkceCodeVerifier,
  DEFAULT_PKCE_METHOD,
+  genPkceCodeVerifier,
  getAuthorizationCode,
  PKCE_PLAIN,
  PKCE_SHA256,
@@ -15,7 +15,7 @@ import {
 import { getClientCredentials } from './grants/clientCredentials';
 import { getImplicit } from './grants/implicit';
 import { getPassword } from './grants/password';
-import type { AccessToken } from './store';
+import type { AccessToken, TokenStoreArgs } from './store';
 import { deleteToken, getToken, resetDataDirKey } from './store';

 type GrantType = 'authorization_code' | 'implicit' | 'password' | 'client_credentials';
@@ -83,8 +83,14 @@ export const plugin: PluginDefinition = {
    actions: [
      {
        label: 'Copy Current Token',
-        async onSelect(ctx, { contextId }) {
-          const token = await getToken(ctx, contextId);
+        async onSelect(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          const token = await getToken(ctx, tokenArgs);
          if (token == null) {
            await ctx.toast.show({ message: 'No token to copy', color: 'warning' });
          } else {
@@ -99,8 +105,14 @@ export const plugin: PluginDefinition = {
      },
      {
        label: 'Delete Token',
-        async onSelect(ctx, { contextId }) {
-          if (await deleteToken(ctx, contextId)) {
+        async onSelect(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          if (await deleteToken(ctx, tokenArgs)) {
            await ctx.toast.show({ message: 'Token deleted', color: 'success' });
          } else {
            await ctx.toast.show({ message: 'No token to delete', color: 'warning' });
@@ -113,17 +125,6 @@ export const plugin: PluginDefinition = {
          await resetDataDirKey(ctx, contextId);
        },
      },
-      {
-        label: 'Toggle Debug Logs',
-        async onSelect(ctx) {
-          const enableLogs = !(await ctx.store.get('enable_logs'));
-          await ctx.store.set('enable_logs', enableLogs);
-          await ctx.toast.show({
-            message: `Debug logs ${enableLogs ? 'enabled' : 'disabled'}`,
-            color: 'info',
-          });
-        },
-      },
    ],
    args: [
      {
@@ -259,6 +260,12 @@ export const plugin: PluginDefinition = {
        label: 'Advanced',
        inputs: [
          { type: 'text', name: 'scope', label: 'Scope', optional: true },
+          {
+            type: 'text',
+            name: 'headerName',
+            label: 'Header Name',
+            defaultValue: 'Authorization',
+          },
          {
            type: 'text',
            name: 'headerPrefix',
@@ -281,8 +288,14 @@ export const plugin: PluginDefinition = {
      {
        type: 'accordion',
        label: 'Access Token Response',
-        async dynamic(ctx, { contextId }) {
-          const token = await getToken(ctx, contextId);
+        async dynamic(ctx, { contextId, values }) {
+          const tokenArgs: TokenStoreArgs = {
+            contextId,
+            authorizationUrl: stringArg(values, 'authorizationUrl'),
+            accessTokenUrl: stringArg(values, 'accessTokenUrl'),
+            clientId: stringArg(values, 'clientId'),
+          };
+          const token = await getToken(ctx, tokenArgs);
          if (token == null) {
            return { hidden: true };
          }
@@ -316,9 +329,10 @@ export const plugin: PluginDefinition = {
            accessTokenUrl === '' || accessTokenUrl.match(/^https?:\/\//)
              ? accessTokenUrl
              : `https://${accessTokenUrl}`,
-          authorizationUrl: authorizationUrl === '' || authorizationUrl.match(/^https?:\/\//)
-            ? authorizationUrl
-            : `https://${authorizationUrl}`,
+          authorizationUrl:
+            authorizationUrl === '' || authorizationUrl.match(/^https?:\/\//)
+              ? authorizationUrl
+              : `https://${authorizationUrl}`,
          clientId: stringArg(values, 'clientId'),
          clientSecret: stringArg(values, 'clientSecret'),
          redirectUri: stringArgOrNull(values, 'redirectUri'),
@@ -378,15 +392,9 @@ export const plugin: PluginDefinition = {
        throw new Error('Invalid grant type ' + grantType);
      }

+      const headerName = stringArg(values, 'headerName') || 'Authorization';
      const headerValue = `${headerPrefix} ${token.response[tokenName]}`.trim();
-      return {
-        setHeaders: [
-          {
-            name: 'Authorization',
-            value: headerValue,
-          },
-        ],
-      };
+      return { setHeaders: [{ name: headerName, value: headerValue }] };
    },
  },
 };
--- a/plugins/auth-oauth2/src/store.ts
+++ b/plugins/auth-oauth2/src/store.ts
@@ -1,8 +1,9 @@
 import type { Context } from '@yaakapp/api';
+import { createHash } from 'node:crypto';

 export async function storeToken(
  ctx: Context,
-  contextId: string,
+  args: TokenStoreArgs,
  response: AccessTokenRawResponse,
  tokenName: 'access_token' | 'id_token' = 'access_token',
 ) {
@@ -15,16 +16,16 @@ export async function storeToken(
    response,
    expiresAt,
  };
-  await ctx.store.set<AccessToken>(tokenStoreKey(contextId), token);
+  await ctx.store.set<AccessToken>(tokenStoreKey(args), token);
  return token;
 }

-export async function getToken(ctx: Context, contextId: string) {
-  return ctx.store.get<AccessToken>(tokenStoreKey(contextId));
+export async function getToken(ctx: Context, args: TokenStoreArgs) {
+  return ctx.store.get<AccessToken>(tokenStoreKey(args));
 }

-export async function deleteToken(ctx: Context, contextId: string) {
-  return ctx.store.delete(tokenStoreKey(contextId));
+export async function deleteToken(ctx: Context, args: TokenStoreArgs) {
+  return ctx.store.delete(tokenStoreKey(args));
 }

 export async function resetDataDirKey(ctx: Context, contextId: string) {
@@ -37,8 +38,25 @@ export async function getDataDirKey(ctx: Context, contextId: string) {
  return `${contextId}::${key}`;
 }

-function tokenStoreKey(contextId: string) {
-  return ['token', contextId].join('::');
+export interface TokenStoreArgs {
+  contextId: string;
+  clientId: string;
+  accessTokenUrl: string | null;
+  authorizationUrl: string | null;
+}
+
+/**
+ * Generate a store key to use based on some arguments. The arguments will be normalized a bit to
+ * account for slight variations (like domains with and without a protocol scheme).
+ */
+function tokenStoreKey(args: TokenStoreArgs) {
+  const hash = createHash('md5');
+  if (args.contextId) hash.update(args.contextId.trim());
+  if (args.clientId) hash.update(args.clientId.trim());
+  if (args.accessTokenUrl) hash.update(args.accessTokenUrl.trim().replace(/^https?:\/\//, ''));
+  if (args.authorizationUrl) hash.update(args.authorizationUrl.trim().replace(/^https?:\/\//, ''));
+  const key = hash.digest('hex');
+  return ['token', key].join('::');
 }

 function dataDirStoreKey(contextId: string) {
--- a/plugins/auth-oauth2/src/util.ts
+++ b/plugins/auth-oauth2/src/util.ts
@@ -0,0 +1,85 @@
+import type { AccessToken } from './store';
+
+export function isTokenExpired(token: AccessToken) {
+  return token.expiresAt && Date.now() > token.expiresAt;
+}
+
+export function extractCode(urlStr: string, redirectUri: string | null): string | null {
+  const url = new URL(urlStr);
+
+  if (!urlMatchesRedirect(url, redirectUri)) {
+    console.log('[oauth2] URL does not match redirect origin/path; skipping.');
+    return null;
+  }
+
+  // Prefer query param; fall back to fragment if query lacks it
+
+  const query = url.searchParams;
+  const queryError = query.get('error');
+  const queryDesc = query.get('error_description');
+  const queryUri = query.get('error_uri');
+
+  let hashParams: URLSearchParams | null = null;
+  if (url.hash && url.hash.length > 1) {
+    hashParams = new URLSearchParams(url.hash.slice(1));
+  }
+  const hashError = hashParams?.get('error');
+  const hashDesc = hashParams?.get('error_description');
+  const hashUri = hashParams?.get('error_uri');
+
+  const error = queryError || hashError;
+  if (error) {
+    const desc = queryDesc || hashDesc;
+    const uri = queryUri || hashUri;
+    let message = `Failed to authorize: ${error}`;
+    if (desc) message += ` (${desc})`;
+    if (uri) message += ` [${uri}]`;
+    throw new Error(message);
+  }
+
+  const queryCode = query.get('code');
+  if (queryCode) return queryCode;
+
+  const hashCode = hashParams?.get('code');
+  if (hashCode) return hashCode;
+
+  console.log('[oauth2] Code not found');
+  return null;
+}
+
+export function urlMatchesRedirect(url: URL, redirectUrl: string | null): boolean {
+  if (!redirectUrl) return true;
+
+  let redirect;
+  try {
+    redirect = new URL(redirectUrl);
+  } catch {
+    console.log('[oauth2] Invalid redirect URI; skipping.');
+    return false;
+  }
+
+  const sameProtocol = url.protocol === redirect.protocol;
+
+  const sameHost = url.hostname.toLowerCase() === redirect.hostname.toLowerCase();
+
+  const normalizePort = (u: URL) =>
+    (u.protocol === 'https:' && (!u.port || u.port === '443')) ||
+    (u.protocol === 'http:' && (!u.port || u.port === '80'))
+      ? ''
+      : u.port;
+
+  const samePort = normalizePort(url) === normalizePort(redirect);
+
+  const normPath = (p: string) => {
+    const withLeading = p.startsWith('/') ? p : `/${p}`;
+    // strip trailing slashes, keep root as "/"
+    return withLeading.replace(/\/+$/g, '') || '/';
+  };
+
+  // Require redirect path to be a prefix of the navigated URL path
+  const urlPath = normPath(url.pathname);
+  const redirectPath = normPath(redirect.pathname);
+  const pathMatches = urlPath === redirectPath || urlPath.startsWith(`${redirectPath}/`);
+
+  return sameProtocol && sameHost && samePort && pathMatches;
+}
--- a/plugins/auth-oauth2/tests/util.test.ts
+++ b/plugins/auth-oauth2/tests/util.test.ts
@@ -0,0 +1,109 @@
+import { describe, test, expect } from 'vitest';
+import { extractCode } from '../src/util';
+
+describe('extractCode', () => {
+  test('extracts code from query when same origin + path', () => {
+    const url = 'https://app.example.com/cb?code=abc123&state=xyz';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('abc123');
+  });
+
+  test('extracts code from query with weird path', () => {
+    const url = 'https://app.example.com/cbwithextra?code=abc123&state=xyz';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBeNull();
+  });
+
+  test('allows trailing slash differences', () => {
+    expect(extractCode('https://app.example.com/cb/?code=abc', 'https://app.example.com/cb')).toBe(
+      'abc',
+    );
+    expect(extractCode('https://app.example.com/cb?code=abc', 'https://app.example.com/cb/')).toBe(
+      'abc',
+    );
+  });
+
+  test('treats default ports as equal (https:443, http:80)', () => {
+    expect(
+      extractCode('https://app.example.com/cb?code=abc', 'https://app.example.com:443/cb'),
+    ).toBe('abc');
+    expect(extractCode('http://app.example.com/cb?code=abc', 'http://app.example.com:80/cb')).toBe(
+      'abc',
+    );
+  });
+
+  test('rejects different port', () => {
+    expect(
+      extractCode('https://app.example.com/cb?code=abc', 'https://app.example.com:8443/cb'),
+    ).toBeNull();
+  });
+
+  test('rejects different hostname (including subdomain changes)', () => {
+    expect(
+      extractCode('https://evil.example.com/cb?code=abc', 'https://app.example.com/cb'),
+    ).toBeNull();
+  });
+
+  test('requires path to start with redirect path (ignoring query/hash)', () => {
+    // same origin but wrong path -> null
+    expect(
+      extractCode('https://app.example.com/other?code=abc', 'https://app.example.com/cb'),
+    ).toBeNull();
+
+    // deeper subpath under the redirect path -> allowed (prefix match)
+    expect(
+      extractCode('https://app.example.com/cb/deep?code=abc', 'https://app.example.com/cb'),
+    ).toBe('abc');
+  });
+
+  test('works with custom schemes', () => {
+    expect(extractCode('myapp://cb?code=abc', 'myapp://cb')).toBe('abc');
+  });
+
+  test('prefers query over fragment when both present', () => {
+    const url = 'https://app.example.com/cb?code=queryCode#code=hashCode';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('queryCode');
+  });
+
+  test('extracts code from fragment when query lacks code', () => {
+    const url = 'https://app.example.com/cb#code=fromHash&state=xyz';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('fromHash');
+  });
+
+  test('returns null if no code present (query or fragment)', () => {
+    const url = 'https://app.example.com/cb?state=only';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBeNull();
+  });
+
+  test('returns null when provider reports an error', () => {
+    const url = 'https://app.example.com/cb?error=access_denied&error_description=oopsy';
+    const redirect = 'https://app.example.com/cb';
+    expect(() => extractCode(url, redirect)).toThrow('Failed to authorize: access_denied');
+  });
+
+  test('when redirectUri is null, extracts code from any URL', () => {
+    expect(extractCode('https://random.example.com/whatever?code=abc', null)).toBe('abc');
+  });
+
+  test('handles extra params gracefully', () => {
+    const url = 'https://app.example.com/cb?foo=1&bar=2&code=abc&baz=3';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('abc');
+  });
+
+  test('ignores fragment noise when code is in query', () => {
+    const url = 'https://app.example.com/cb?code=abc#some=thing';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('abc');
+  });
+
+  // If you decide NOT to support fragment-based codes, flip these to expect null or mark as .skip
+  test('supports fragment-only code for response_mode=fragment providers', () => {
+    const url = 'https://app.example.com/cb#state=xyz&code=abc';
+    const redirect = 'https://app.example.com/cb';
+    expect(extractCode(url, redirect)).toBe('abc');
+  });
+});
--- a/plugins/filter-jsonpath/package.json
+++ b/plugins/filter-jsonpath/package.json
@@ -12,7 +12,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "jsonpath-plus": "^10.3.0"
--- a/plugins/filter-xpath/package.json
+++ b/plugins/filter-xpath/package.json
@@ -7,7 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "@xmldom/xmldom": "^0.9.8",
--- a/plugins/importer-curl/package.json
+++ b/plugins/importer-curl/package.json
@@ -7,7 +7,8 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  },
  "dependencies": {
    "shell-quote": "^1.8.1"
--- a/plugins/importer-insomnia/package.json
+++ b/plugins/importer-insomnia/package.json
@@ -7,7 +7,8 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  },
  "dependencies": {
    "yaml": "^2.4.2"
--- a/plugins/importer-insomnia/src/v4.ts
+++ b/plugins/importer-insomnia/src/v4.ts
@@ -122,6 +122,12 @@ function importHttpRequest(r: any, workspaceId: string): PartialImportResources[
    name: r.name,
    description: r.description || undefined,
    url: convertSyntax(r.url),
+    urlParameters: (r.parameters ?? [])
+      .map((p: any) => ({
+        enabled: !p.disabled,
+        name: p.name ?? '',
+        value: p.value ?? '',
+      })),
    body,
    bodyType,
    authentication,
@@ -184,15 +190,15 @@ function importEnvironment(
  workspaceId: string,
  isParent?: boolean,
 ): PartialImportResources['environments'][0] {
+  isParent ??= e.parentId === workspaceId;
  return {
    id: convertId(e._id),
    createdAt: e.created ? new Date(e.created).toISOString().replace('Z', '') : undefined,
    updatedAt: e.modified ? new Date(e.modified).toISOString().replace('Z', '') : undefined,
    workspaceId: convertId(workspaceId),
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-expect-error
-    sortPriority: e.metaSortKey, // Will be added to Yaak later
-    base: isParent ?? e.parentId === workspaceId,
+    sortPriority: e.metaSortKey,
+    parentModel: isParent ? 'workspace' : 'environment',
+    parentId: null,
    model: 'environment',
    name: e.name,
    variables: Object.entries(e.data).map(([name, value]) => ({
--- a/plugins/importer-insomnia/src/v5.ts
+++ b/plugins/importer-insomnia/src/v5.ts
@@ -30,18 +30,25 @@ export function convertInsomniaV5(parsed: any) {
    model: 'workspace',
    name: parsed.name,
    description: meta.description || undefined,
+    ...importHeaders(parsed),
+    ...importAuthentication(parsed),
  });
+
+  // Import environments
  resources.environments.push(
    importEnvironment(parsed.environments, meta.id, true),
    ...(parsed.environments.subEnvironments ?? []).map((r: any) => importEnvironment(r, meta.id)),
  );

+  // Import folders
  const nextFolder = (children: any[], parentId: string) => {
    for (const child of children ?? []) {
      if (!isJSObject(child)) continue;

      if (Array.isArray(child.children)) {
-        resources.folders.push(importFolder(child, meta.id, parentId));
+        const { folder, environment } = importFolder(child, meta.id, parentId);
+        resources.folders.push(folder);
+        if (environment) resources.environments.push(environment);
        nextFolder(child.children, child.meta.id);
      } else if (child.method) {
        resources.httpRequests.push(importHttpRequest(child, meta.id, parentId));
@@ -118,6 +125,12 @@ function importHttpRequest(
    name: r.name,
    description: r.meta?.description || undefined,
    url: convertSyntax(r.url),
+    urlParameters: (r.parameters ?? [])
+      .map((p: any) => ({
+        enabled: !p.disabled,
+        name: p.name ?? '',
+        value: p.value ?? '',
+      })),
    body,
    bodyType,
    method: r.method,
@@ -191,8 +204,8 @@ function importWebsocketRequest(
  };
 }

-function importHeaders(r: any) {
-  const headers = (r.headers ?? [])
+function importHeaders(obj: any) {
+  const headers = (obj.headers ?? [])
    .map((h: any) => ({
      enabled: !h.disabled,
      name: h.name ?? '',
@@ -202,19 +215,19 @@ function importHeaders(r: any) {
  return { headers } as const;
 }

-function importAuthentication(r: any) {
+function importAuthentication(obj: any) {
  let authenticationType: string | null = null;
  let authentication = {};
-  if (r.authentication?.type === 'bearer') {
+  if (obj.authentication?.type === 'bearer') {
    authenticationType = 'bearer';
    authentication = {
-      token: convertSyntax(r.authentication.token),
+      token: convertSyntax(obj.authentication.token),
    };
-  } else if (r.authentication?.type === 'basic') {
+  } else if (obj.authentication?.type === 'basic') {
    authenticationType = 'basic';
    authentication = {
-      username: convertSyntax(r.authentication.username),
-      password: convertSyntax(r.authentication.password),
+      username: convertSyntax(obj.authentication.username),
+      password: convertSyntax(obj.authentication.password),
    };
  }

@@ -225,22 +238,50 @@ function importFolder(
  f: any,
  workspaceId: string,
  parentId: string,
-): PartialImportResources['folders'][0] {
+): {
+  folder: PartialImportResources['folders'][0];
+  environment: PartialImportResources['environments'][0] | null;
+} {
  const id = f.meta?.id ?? f._id;
  const created = f.meta?.created ?? f.created;
  const updated = f.meta?.modified ?? f.updated;
  const sortKey = f.meta?.sortKey ?? f.sortKey;

+  let environment: PartialImportResources['environments'][0] | null = null;
+  if (Object.keys(f.environment ?? {}).length > 0) {
+    environment = {
+      id: convertId(id + 'folder'),
+      createdAt: created ? new Date(created).toISOString().replace('Z', '') : undefined,
+      updatedAt: updated ? new Date(updated).toISOString().replace('Z', '') : undefined,
+      workspaceId: convertId(workspaceId),
+      public: true,
+      parentModel: 'folder',
+      parentId: convertId(id),
+      model: 'environment',
+      name: 'Folder Environment',
+      variables: Object.entries(f.environment ?? {}).map(([name, value]) => ({
+        enabled: true,
+        name,
+        value: `${value}`,
+      })),
+    };
+  }
+
  return {
-    model: 'folder',
-    id: convertId(id),
-    createdAt: created ? new Date(created).toISOString().replace('Z', '') : undefined,
-    updatedAt: updated ? new Date(updated).toISOString().replace('Z', '') : undefined,
-    folderId: parentId === workspaceId ? null : convertId(parentId),
-    sortPriority: sortKey,
-    workspaceId: convertId(workspaceId),
-    description: f.description || undefined,
-    name: f.name,
+    folder: {
+      model: 'folder',
+      id: convertId(id),
+      createdAt: created ? new Date(created).toISOString().replace('Z', '') : undefined,
+      updatedAt: updated ? new Date(updated).toISOString().replace('Z', '') : undefined,
+      folderId: parentId === workspaceId ? null : convertId(parentId),
+      sortPriority: sortKey,
+      workspaceId: convertId(workspaceId),
+      description: f.description || undefined,
+      name: f.name,
+      ...importAuthentication(f),
+      ...importHeaders(f),
+    },
+    environment,
  };
 }

@@ -260,10 +301,9 @@ function importEnvironment(
    updatedAt: updated ? new Date(updated).toISOString().replace('Z', '') : undefined,
    workspaceId: convertId(workspaceId),
    public: !e.isPrivate,
-    // eslint-disable-next-line @typescript-eslint/ban-ts-comment
-    // @ts-expect-error
-    sortPriority: sortKey, // Will be added to Yaak later
-    base: isParent ?? e.parentId === workspaceId,
+    sortPriority: sortKey,
+    parentModel: isParent ? 'workspace' : 'environment',
+    parentId: null,
    model: 'environment',
    name: e.name,
    variables: Object.entries(e.data ?? {}).map(([name, value]) => ({
--- a/plugins/importer-insomnia/tests/fixtures/basic.output.json
+++ b/plugins/importer-insomnia/tests/fixtures/basic.output.json
@@ -5,7 +5,8 @@
        "createdAt": "2025-01-13T15:15:43.767",
        "updatedAt": "2025-01-13T15:15:55.209",
        "sortPriority": 1736781343767,
-        "base": true,
+        "parentId": null,
+        "parentModel": "workspace",
        "id": "GENERATE_ID::env_16c0dec5b77c414ae0e419b8f10c3701300c5900",
        "model": "environment",
        "name": "Base Environment",
@@ -22,7 +23,8 @@
        "createdAt": "2025-01-13T15:15:58.515",
        "updatedAt": "2025-01-13T15:16:34.705",
        "sortPriority": 1736781358515,
-        "base": false,
+        "parentId": null,
+        "parentModel": "environment",
        "id": "GENERATE_ID::env_799ae3d723ef44af91b4817e5d057e6d",
        "model": "environment",
        "name": "Production",
@@ -39,7 +41,8 @@
        "createdAt": "2025-01-13T15:16:14.707",
        "updatedAt": "2025-01-13T15:16:31.078",
        "sortPriority": 1736781358565,
-        "base": false,
+        "parentId": null,
+        "parentModel": "environment",
        "id": "GENERATE_ID::env_030fbfdbb274426ebd78e2e6518f8553",
        "model": "environment",
        "name": "Staging",
@@ -110,6 +113,13 @@
        "model": "http_request",
        "name": "New Request",
        "url": "${[BASE_URL ]}/foo/:id",
+        "urlParameters": [
+          {
+            "name": "query",
+            "value": "qqq",
+            "enabled": true
+          }
+        ],
        "workspaceId": "GENERATE_ID::wrk_d4d92f7c0ee947b89159243506687019"
      }
    ],
--- a/plugins/importer-insomnia/tests/fixtures/version-5-minimal.input.yaml
+++ b/plugins/importer-insomnia/tests/fixtures/version-5-minimal.input.yaml
@@ -38,6 +38,8 @@ collection:
        name: foo
        value: bar
        disabled: false
+    environment:
+      folder_env_var: testing
  - name: New Request
    meta:
      id: req_e3f8cdbd58784a539dd4c1e127d73451
--- a/plugins/importer-insomnia/tests/fixtures/version-5-minimal.output.json
+++ b/plugins/importer-insomnia/tests/fixtures/version-5-minimal.output.json
@@ -2,7 +2,6 @@
  "resources": {
    "environments": [
      {
-        "base": true,
        "createdAt": "2025-05-14T04:45:24.903",
        "id": "GENERATE_ID::env_e46dc73e8ccda30ca132153e8f11183bd08119ce",
        "model": "environment",
@@ -10,6 +9,26 @@
        "public": true,
        "updatedAt": "2025-05-14T04:45:24.903",
        "variables": [],
+        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c",
+        "parentId": null,
+        "parentModel": "workspace"
+      },
+      {
+        "createdAt": "2025-05-16T16:48:12.298",
+        "id": "GENERATE_ID::fld_296933ea4ea84783a775d199997e9be7folder",
+        "model": "environment",
+        "name": "Folder Environment",
+        "parentId": "GENERATE_ID::fld_296933ea4ea84783a775d199997e9be7",
+        "parentModel": "folder",
+        "public": true,
+        "updatedAt": "2025-05-16T16:49:02.427",
+        "variables": [
+          {
+            "enabled": true,
+            "name": "folder_env_var",
+            "value": "testing"
+          }
+        ],
        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c"
      }
    ],
@@ -22,7 +41,16 @@
        "name": "My Folder",
        "sortPriority": -1747414092298,
        "updatedAt": "2025-05-16T16:49:02.427",
-        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c"
+        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c",
+        "authentication": {},
+        "authenticationType": null,
+        "headers": [
+          {
+            "enabled": true,
+            "name": "foo",
+            "value": "bar"
+          }
+        ]
      }
    ],
    "grpcRequests": [],
@@ -48,6 +76,7 @@
        "sortPriority": -1747414129276,
        "updatedAt": "2025-05-16T16:48:49.313",
        "url": "https://httpbin.org/post",
+        "urlParameters": [],
        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c"
      },
      {
@@ -70,6 +99,7 @@
        "name": "New Request",
        "sortPriority": -1747414160498,
        "updatedAt": "2025-05-16T16:49:20.497",
+        "urlParameters": [],
        "workspaceId": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c"
      }
    ],
@@ -80,7 +110,10 @@
        "id": "GENERATE_ID::wrk_9717dd1c9e0c4b2e9ed6d2abcf3bd45c",
        "model": "workspace",
        "name": "Debugging",
-        "updatedAt": "2025-05-14T04:45:24.902"
+        "updatedAt": "2025-05-14T04:45:24.902",
+        "authentication": {},
+        "authenticationType": null,
+        "headers": []
      }
    ]
  }
--- a/plugins/importer-insomnia/tests/fixtures/version-5.output.json
+++ b/plugins/importer-insomnia/tests/fixtures/version-5.output.json
@@ -4,11 +4,12 @@
      {
        "createdAt": "2025-01-13T15:15:43.767",
        "updatedAt": "2025-01-13T15:15:55.209",
-        "base": true,
        "public": true,
        "id": "GENERATE_ID::env_20945044d3c8497ca8b717bef750987e",
        "model": "environment",
        "name": "Base Environment",
+        "parentId": null,
+        "parentModel": "workspace",
        "variables": [
          {
            "enabled": true,
@@ -21,11 +22,12 @@
      {
        "createdAt": "2025-01-13T15:15:58.515",
        "updatedAt": "2025-01-13T15:16:34.705",
-        "base": false,
        "public": true,
        "id": "GENERATE_ID::env_6f7728bb7fc04d558d668e954d756ea2",
        "model": "environment",
        "name": "Production",
+        "parentId": null,
+        "parentModel": "environment",
        "sortPriority": 1736781358515,
        "variables": [
          {
@@ -39,8 +41,9 @@
      {
        "createdAt": "2025-01-13T15:16:14.707",
        "updatedAt": "2025-01-13T15:16:31.078",
-        "base": false,
        "public": true,
+        "parentId": null,
+        "parentModel": "environment",
        "id": "GENERATE_ID::env_976a8b6eb5d44fb6a20150f65c32d243",
        "model": "environment",
        "name": "Staging",
@@ -64,7 +67,10 @@
        "model": "folder",
        "name": "Top Level",
        "sortPriority": -1736781404718,
-        "workspaceId": "GENERATE_ID::wrk_c1eacfa750a04f3ea9985ef28043fa53"
+        "workspaceId": "GENERATE_ID::wrk_c1eacfa750a04f3ea9985ef28043fa53",
+        "authentication": {},
+        "authenticationType": null,
+        "headers": []
      }
    ],
    "grpcRequests": [
@@ -129,6 +135,13 @@
        "name": "New Request",
        "sortPriority": -1736781406672,
        "url": "${[BASE_URL ]}/foo/:id",
+        "urlParameters": [
+          {
+            "name": "query",
+            "value": "qqq",
+            "enabled": true
+          }
+        ],
        "workspaceId": "GENERATE_ID::wrk_c1eacfa750a04f3ea9985ef28043fa53"
      }
    ],
@@ -165,7 +178,10 @@
        "description": "This is the description",
        "id": "GENERATE_ID::wrk_c1eacfa750a04f3ea9985ef28043fa53",
        "model": "workspace",
-        "name": "Dummy"
+        "name": "Dummy",
+        "authentication": {},
+        "authenticationType": null,
+        "headers": []
      }
    ]
  }
--- a/plugins/importer-openapi/package.json
+++ b/plugins/importer-openapi/package.json
@@ -7,7 +7,8 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  },
  "dependencies": {
    "openapi-to-postmanv2": "^5.0.0",
--- a/plugins/importer-postman-environment/package.json
+++ b/plugins/importer-postman-environment/package.json
@@ -0,0 +1,14 @@
+{
+  "name": "@yaak/importer-postman-environment",
+  "displayName": "Postman Environment Importer",
+  "description": "Import environments from Postman",
+  "private": true,
+  "version": "0.1.0",
+  "main": "./build/index.js",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
+  }
+}
--- a/plugins/importer-postman-environment/src/index.ts
+++ b/plugins/importer-postman-environment/src/index.ts
@@ -0,0 +1,138 @@
+import type {
+  Context,
+  Environment,
+  PartialImportResources,
+  PluginDefinition,
+  Workspace,
+} from '@yaakapp/api';
+import type { ImportPluginResponse } from '@yaakapp/api/lib/plugins/ImporterPlugin';
+
+type AtLeast<T, K extends keyof T> = Partial<T> & Pick<T, K>;
+
+interface ExportResources {
+  workspaces: AtLeast<Workspace, 'name' | 'id' | 'model'>[];
+  environments: AtLeast<Environment, 'name' | 'id' | 'model' | 'workspaceId'>[];
+}
+
+export const plugin: PluginDefinition = {
+  importer: {
+    name: 'Postman Environment',
+    description: 'Import postman environment exports',
+    onImport(_ctx: Context, args: { text: string }) {
+      return convertPostmanEnvironment(args.text);
+    },
+  },
+};
+
+export function convertPostmanEnvironment(contents: string): ImportPluginResponse | undefined {
+  const root = parseJSONToRecord(contents);
+  if (root == null) return;
+
+  // Validate that it looks like a Postman Environment export
+  const values = toArray<{
+    key?: string;
+    value?: unknown;
+    enabled?: boolean;
+    description?: string;
+    type?: string;
+  }>(root.values);
+  const scope = root._postman_variable_scope;
+  const hasEnvMarkers = typeof scope === 'string';
+
+  if (values.length === 0 || (!hasEnvMarkers && typeof root.name !== 'string')) {
+    // Not a Postman environment file, skip
+    return;
+  }
+
+  const exportResources: ExportResources = {
+    workspaces: [],
+    environments: [],
+  };
+
+  const envVariables = values
+    .map((v) => ({
+      enabled: v.enabled ?? true,
+      name: String(v.key ?? ''),
+      value: String(v.value),
+      description: v.description ? String(v.description) : null,
+    }))
+    .filter((v) => v.name.length > 0);
+
+  const environment: ExportResources['environments'][0] = {
+    model: 'environment',
+    id: generateId('environment'),
+    name: root.name ? String(root.name) : 'Environment',
+    workspaceId: 'CURRENT_WORKSPACE',
+    parentModel: 'environment',
+    parentId: null,
+    variables: envVariables,
+  };
+  exportResources.environments.push(environment);
+
+  const resources = deleteUndefinedAttrs(
+    convertTemplateSyntax(exportResources),
+  ) as PartialImportResources;
+
+  return { resources };
+}
+
+function parseJSONToRecord<T>(jsonStr: string): Record<string, T> | null {
+  try {
+    return toRecord(JSON.parse(jsonStr));
+  } catch {
+    return null;
+  }
+}
+
+function toRecord<T>(value: Record<string, T> | unknown): Record<string, T> {
+  if (value && typeof value === 'object' && !Array.isArray(value)) {
+    return value as Record<string, T>;
+  }
+  return {} as Record<string, T>;
+}
+
+function toArray<T>(value: unknown): T[] {
+  if (Object.prototype.toString.call(value) === '[object Array]') return value as T[];
+  else return [] as T[];
+}
+
+/** Recursively render all nested object properties */
+function convertTemplateSyntax<T>(obj: T): T {
+  if (typeof obj === 'string') {
+    return obj.replace(
+      /{{\s*(_\.)?([^}]*)\s*}}/g,
+      (_m, _dot, expr) => '${[' + expr.trim() + ']}',
+    ) as T;
+  } else if (Array.isArray(obj) && obj != null) {
+    return obj.map(convertTemplateSyntax) as T;
+  } else if (typeof obj === 'object' && obj != null) {
+    return Object.fromEntries(
+      Object.entries(obj as Record<string, unknown>).map(([k, v]) => [k, convertTemplateSyntax(v)]),
+    ) as T;
+  } else {
+    return obj;
+  }
+}
+
+function deleteUndefinedAttrs<T>(obj: T): T {
+  if (Array.isArray(obj) && obj != null) {
+    return obj.map(deleteUndefinedAttrs) as T;
+  } else if (typeof obj === 'object' && obj != null) {
+    return Object.fromEntries(
+      Object.entries(obj as Record<string, unknown>)
+        .filter(([, v]) => v !== undefined)
+        .map(([k, v]) => [k, deleteUndefinedAttrs(v)]),
+    ) as T;
+  } else {
+    return obj;
+  }
+}
+
+const idCount: Partial<Record<string, number>> = {};
+
+function generateId(model: string): string {
+  idCount[model] = (idCount[model] ?? -1) + 1;
+  return `GENERATE_ID::${model.toUpperCase()}_${idCount[model]}`;
+}
+
+export default plugin;
--- a/plugins/importer-postman-environment/tests/fixtures/environment.input.json
+++ b/plugins/importer-postman-environment/tests/fixtures/environment.input.json
@@ -0,0 +1,27 @@
+{
+  "id": "123",
+  "name": "My Environment",
+  "values": [
+    {
+      "key": "baseUrl",
+      "value": "https://api.example.com",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "token",
+      "value": "{{ access_token }}",
+      "type": "default",
+      "description": "Access token for the API.",
+      "enabled": true
+    },
+    {
+      "key": "disabled",
+      "type": "secret",
+      "value": "hello",
+      "enabled": false
+    }
+  ],
+  "_postman_variable_scope": "environment",
+  "_postman_exported_using": "PostmanRuntime/1.0.0"
+}
--- a/plugins/importer-postman-environment/tests/fixtures/environment.output.json
+++ b/plugins/importer-postman-environment/tests/fixtures/environment.output.json
@@ -0,0 +1,35 @@
+{
+  "resources": {
+    "workspaces": [],
+    "environments": [
+      {
+        "id": "GENERATE_ID::ENVIRONMENT_0",
+        "model": "environment",
+        "name": "My Environment",
+        "variables": [
+          {
+            "enabled": true,
+            "description": null,
+            "name": "baseUrl",
+            "value": "https://api.example.com"
+          },
+          {
+            "enabled": true,
+            "description": "Access token for the API.",
+            "name": "token",
+            "value": "${[access_token]}"
+          },
+          {
+            "enabled": false,
+            "description": null,
+            "name": "disabled",
+            "value": "hello"
+          }
+        ],
+        "workspaceId": "CURRENT_WORKSPACE",
+        "parentId": null,
+        "parentModel": "environment"
+      }
+    ]
+  }
+}
--- a/plugins/importer-postman-environment/tests/index.test.ts
+++ b/plugins/importer-postman-environment/tests/index.test.ts
@@ -0,0 +1,22 @@
+import * as fs from 'node:fs';
+import * as path from 'node:path';
+import { describe, expect, test } from 'vitest';
+import { convertPostmanEnvironment } from '../src';
+
+describe('importer-postman-environment', () => {
+  const p = path.join(__dirname, 'fixtures');
+  const fixtures = fs.readdirSync(p);
+
+  for (const fixture of fixtures) {
+    if (fixture.includes('.output')) {
+      continue;
+    }
+
+    test('Imports ' + fixture, () => {
+      const contents = fs.readFileSync(path.join(p, fixture), 'utf-8');
+      const expected = fs.readFileSync(path.join(p, fixture.replace('.input', '.output')), 'utf-8');
+      const result = convertPostmanEnvironment(contents);
+      expect(result).toEqual(JSON.parse(expected));
+    });
+  }
+});
--- a/plugins/importer-postman-environment/tsconfig.json
+++ b/plugins/importer-postman-environment/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
--- a/plugins/importer-postman/package.json
+++ b/plugins/importer-postman/package.json
@@ -8,6 +8,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/importer-postman/src/index.ts
+++ b/plugins/importer-postman/src/index.ts
@@ -57,15 +57,18 @@ export function convertPostman(contents: string): ImportPluginResponse | undefin

  const rawDescription = info.description;
  const description =
-    typeof rawDescription === 'object' && rawDescription !== null && 'content' in rawDescription
+    typeof rawDescription === 'object' && rawDescription != null && 'content' in rawDescription
      ? String(rawDescription.content)
-      : String(rawDescription);
+      : rawDescription == null
+        ? undefined
+        : String(rawDescription);

  const workspace: ExportResources['workspaces'][0] = {
    model: 'workspace',
    id: generateId('workspace'),
    name: info.name ? String(info.name) : 'Postman Import',
    description,
+    ...globalAuth,
  };
  exportResources.workspaces.push(workspace);

@@ -75,6 +78,8 @@ export function convertPostman(contents: string): ImportPluginResponse | undefin
    id: generateId('environment'),
    name: 'Global Variables',
    workspaceId: workspace.id,
+    parentModel: 'workspace',
+    parentId: null,
    variables:
      toArray<{ key: string; value: string }>(root.variable).map((v) => ({
        name: v.key,
@@ -101,8 +106,7 @@ export function convertPostman(contents: string): ImportPluginResponse | undefin
    } else if (typeof v.name === 'string' && 'request' in v) {
      const r = toRecord(v.request);
      const bodyPatch = importBody(r.body);
-      const requestAuthPath = importAuth(r.auth);
-      const authPatch = requestAuthPath.authenticationType == null ? globalAuth : requestAuthPath;
+      const requestAuth = importAuth(r.auth);

      const headers: HttpRequestHeader[] = toArray<{
        key: string;
@@ -141,10 +145,9 @@ export function convertPostman(contents: string): ImportPluginResponse | undefin
        urlParameters,
        body: bodyPatch.body,
        bodyType: bodyPatch.bodyType,
-        authentication: authPatch.authentication,
-        authenticationType: authPatch.authenticationType,
        sortPriority: sortPriorityIndex++,
        headers,
+        ...requestAuth,
      };
      exportResources.httpRequests.push(request);
    } else {
@@ -219,25 +222,159 @@ function convertUrl(rawUrl: string | unknown): Pick<HttpRequest, 'url' | 'urlPar
 }

 function importAuth(rawAuth: unknown): Pick<HttpRequest, 'authentication' | 'authenticationType'> {
-  const auth = toRecord<{ username?: string; password?: string; token?: string }>(rawAuth);
-  if ('basic' in auth) {
+  const auth = toRecord<Record<string, string>>(rawAuth);
+
+  // Helper: Postman stores auth params as an array of { key, value, ... }
+  const pmArrayToObj = (v: unknown): Record<string, unknown> => {
+    if (!Array.isArray(v)) return toRecord(v);
+    const o: Record<string, unknown> = {};
+    for (const i of v) {
+      const ii = toRecord(i);
+      if (typeof ii.key === 'string') {
+        o[ii.key] = ii.value;
+      }
+    }
+    return o;
+  };
+
+  const authType: string | undefined = auth.type ? String(auth.type) : undefined;
+
+  if (authType === 'noauth') {
+    return {
+      authenticationType: 'none',
+      authentication: {},
+    };
+  }
+
+  if ('basic' in auth && authType === 'basic') {
+    const b = pmArrayToObj(auth.basic);
    return {
      authenticationType: 'basic',
      authentication: {
-        username: auth.basic.username || '',
-        password: auth.basic.password || '',
+        username: String(b.username ?? ''),
+        password: String(b.password ?? ''),
      },
    };
-  } else if ('bearer' in auth) {
+  }
+
+  if ('bearer' in auth && authType === 'bearer') {
+    const b = pmArrayToObj(auth.bearer);
+    // Postman uses key "token"
    return {
      authenticationType: 'bearer',
      authentication: {
-        token: auth.bearer.token || '',
+        token: String(b.token ?? ''),
      },
    };
-  } else {
-    return { authenticationType: null, authentication: {} };
  }
+
+  if ('awsv4' in auth && authType === 'awsv4') {
+    const a = pmArrayToObj(auth.awsv4);
+    return {
+      authenticationType: 'awsv4',
+      authentication: {
+        accessKeyId: a.accessKey != null ? String(a.accessKey) : undefined,
+        secretAccessKey: a.secretKey != null ? String(a.secretKey) : undefined,
+        sessionToken: a.sessionToken != null ? String(a.sessionToken) : undefined,
+        region: a.region != null ? String(a.region) : undefined,
+        service: a.service != null ? String(a.service) : undefined,
+      },
+    };
+  }
+
+  if ('apikey' in auth && authType === 'apikey') {
+    const a = pmArrayToObj(auth.apikey);
+    return {
+      authenticationType: 'apikey',
+      authentication: {
+        location: a.in === 'query' ? 'query' : 'header',
+        key: a.value != null ? String(a.value) : undefined,
+        value: a.key != null ? String(a.key) : undefined,
+      },
+    };
+  }
+
+  if ('jwt' in auth && authType === 'jwt') {
+    const a = pmArrayToObj(auth.jwt);
+    return {
+      authenticationType: 'jwt',
+      authentication: {
+        algorithm: a.algorithm != null ? String(a.algorithm).toUpperCase() : undefined,
+        secret: a.secret != null ? String(a.secret) : undefined,
+        secretBase64: !!a.isSecretBase64Encoded,
+        payload: a.payload != null ? String(a.payload) : undefined,
+        headerPrefix: a.headerPrefix != null ? String(a.headerPrefix) : undefined,
+        location: a.addTokenTo === 'header' ? 'header' : 'query',
+      },
+    };
+  }
+
+  if ('oauth2' in auth && authType === 'oauth2') {
+    const o = pmArrayToObj(auth.oauth2);
+
+    let grantType = o.grant_type ? String(o.grant_type) : 'authorization_code';
+    let pkcePatch: Record<string, unknown> = {};
+
+    if (grantType === 'authorization_code_with_pkce') {
+      grantType = 'authorization_code';
+      pkcePatch =
+        o.grant_type === 'authorization_code_with_pkce'
+          ? {
+              usePkce: true,
+              pkceChallengeMethod: o.challengeAlgorithm ?? undefined,
+              pkceCodeVerifier: o.code_verifier != null ? String(o.code_verifier) : undefined,
+            }
+          : {};
+    } else if (grantType === 'password_credentials') {
+      grantType = 'password';
+    }
+
+    const accessTokenUrl = o.accessTokenUrl != null ? String(o.accessTokenUrl) : undefined;
+    const audience = o.audience != null ? String(o.audience) : undefined;
+    const authorizationUrl = o.authUrl != null ? String(o.authUrl) : undefined;
+    const clientId = o.clientId != null ? String(o.clientId) : undefined;
+    const clientSecret = o.clientSecret != null ? String(o.clientSecret) : undefined;
+    const credentials = o.client_authentication === 'body' ? 'body' : undefined;
+    const headerPrefix = o.headerPrefix ?? 'Bearer';
+    const password = o.password != null ? String(o.password) : undefined;
+    const redirectUri = o.redirect_uri != null ? String(o.redirect_uri) : undefined;
+    const scope = o.scope != null ? String(o.scope) : undefined;
+    const state = o.state != null ? String(o.state) : undefined;
+    const username = o.username != null ? String(o.username) : undefined;
+
+    let grantPatch: Record<string, unknown> = {};
+    if (grantType === 'authorization_code') {
+      grantPatch = {
+        clientSecret,
+        authorizationUrl,
+        accessTokenUrl,
+        redirectUri,
+        state,
+        ...pkcePatch,
+      };
+    } else if (grantType === 'implicit') {
+      grantPatch = { authorizationUrl, redirectUri, state };
+    } else if (grantType === 'password') {
+      grantPatch = { clientSecret, accessTokenUrl, username, password };
+    } else if (grantType === 'client_credentials') {
+      grantPatch = { clientSecret, accessTokenUrl };
+    }
+
+    const authentication = {
+      name: 'oauth2',
+      grantType,
+      audience,
+      clientId,
+      credentials,
+      headerPrefix,
+      scope,
+      ...grantPatch,
+    } as Record<string, unknown>;
+
+    return { authenticationType: 'oauth2', authentication };
+  }
+
+  return { authenticationType: null, authentication: {} };
 }

 function importBody(rawBody: unknown): Pick<HttpRequest, 'body' | 'bodyType' | 'headers'> {
@@ -372,7 +509,10 @@ function toArray<T>(value: unknown): T[] {
 /** Recursively render all nested object properties */
 function convertTemplateSyntax<T>(obj: T): T {
  if (typeof obj === 'string') {
-    return obj.replace(/{{\s*(_\.)?([^}]+)\s*}}/g, '${[$2]}') as T;
+    return obj.replace(
+      /{{\s*(_\.)?([^}]*)\s*}}/g,
+      (_m, _dot, expr) => '${[' + expr.trim().replace(/^vault:/, '') + ']}',
+    ) as T;
  } else if (Array.isArray(obj) && obj != null) {
    return obj.map(convertTemplateSyntax) as T;
  } else if (typeof obj === 'object' && obj != null) {
--- a/plugins/importer-postman/tests/fixtures/auth.input.json
+++ b/plugins/importer-postman/tests/fixtures/auth.input.json
@@ -0,0 +1,828 @@
+{
+	"info": {
+		"_postman_id": "9e6dfada-256c-49ea-a38f-7d1b05b7ca2d",
+		"name": "Authentication",
+		"schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json",
+		"_exporter_id": "18798"
+	},
+	"item": [
+		{
+			"name": "No Auth",
+			"request": {
+				"auth": {
+					"type": "noauth"
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://yaak.app/x/echo",
+					"protocol": "https",
+					"host": [
+						"yaak",
+						"app"
+					],
+					"path": [
+						"x",
+						"echo"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "Inherit",
+			"request": {
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://yaak.app/x/echo",
+					"protocol": "https",
+					"host": [
+						"yaak",
+						"app"
+					],
+					"path": [
+						"x",
+						"echo"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "OAuth 2 Auth Code",
+			"protocolProfileBehavior": {
+				"disableBodyPruning": true
+			},
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "grant_type",
+							"value": "authorization_code",
+							"type": "string"
+						},
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "client_authentication",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "challengeAlgorithm",
+							"value": "S256",
+							"type": "string"
+						},
+						{
+							"key": "refreshTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "state",
+							"type": "string"
+						},
+						{
+							"key": "scope",
+							"value": "scope",
+							"type": "string"
+						},
+						{
+							"key": "code_verifier",
+							"value": "verifier",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "clientsecet",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "cliend id",
+							"type": "string"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://github.com/login/oauth/authorize",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": true,
+							"type": "boolean"
+						},
+						{
+							"key": "redirect_uri",
+							"value": "https://callback",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "name",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"hello\": \"world\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{vault:hello}}",
+					"host": [
+						"{{vault:hello}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "OAuth 2 Auth Code (PKCE)",
+			"protocolProfileBehavior": {
+				"disableBodyPruning": true
+			},
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "client_authentication",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "challengeAlgorithm",
+							"value": "S256",
+							"type": "string"
+						},
+						{
+							"key": "refreshTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "state",
+							"type": "string"
+						},
+						{
+							"key": "scope",
+							"value": "scope",
+							"type": "string"
+						},
+						{
+							"key": "code_verifier",
+							"value": "verifier",
+							"type": "string"
+						},
+						{
+							"key": "grant_type",
+							"value": "authorization_code_with_pkce",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "clientsecet",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "cliend id",
+							"type": "string"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://github.com/login/oauth/authorize",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": true,
+							"type": "boolean"
+						},
+						{
+							"key": "redirect_uri",
+							"value": "https://callback",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "name",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"hello\": \"world\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{vault:hello}}",
+					"host": [
+						"{{vault:hello}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "OAuth 2 Implicit",
+			"protocolProfileBehavior": {
+				"disableBodyPruning": true
+			},
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "client_authentication",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "redirect_uri",
+							"value": "https://yaak.app/x/echo",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": false,
+							"type": "boolean"
+						},
+						{
+							"key": "grant_type",
+							"value": "implicit",
+							"type": "string"
+						},
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "challengeAlgorithm",
+							"value": "S256",
+							"type": "string"
+						},
+						{
+							"key": "refreshTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "state",
+							"type": "string"
+						},
+						{
+							"key": "scope",
+							"value": "scope",
+							"type": "string"
+						},
+						{
+							"key": "code_verifier",
+							"value": "verifier",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "clientsecet",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "cliend id",
+							"type": "string"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://github.com/login/oauth/authorize",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "name",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"hello\": \"world\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{vault:hello}}",
+					"host": [
+						"{{vault:hello}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "OAuth 2 Password",
+			"protocolProfileBehavior": {
+				"disableBodyPruning": true
+			},
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "password",
+							"value": "password",
+							"type": "string"
+						},
+						{
+							"key": "username",
+							"value": "username",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "clientsecret",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "clientid",
+							"type": "string"
+						},
+						{
+							"key": "grant_type",
+							"value": "password_credentials",
+							"type": "string"
+						},
+						{
+							"key": "client_authentication",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "redirect_uri",
+							"value": "https://yaak.app/x/echo",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": false,
+							"type": "boolean"
+						},
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "challengeAlgorithm",
+							"value": "S256",
+							"type": "string"
+						},
+						{
+							"key": "refreshTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "state",
+							"type": "string"
+						},
+						{
+							"key": "scope",
+							"value": "scope",
+							"type": "string"
+						},
+						{
+							"key": "code_verifier",
+							"value": "verifier",
+							"type": "string"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://github.com/login/oauth/authorize",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "name",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"hello\": \"world\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{vault:hello}}",
+					"host": [
+						"{{vault:hello}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "OAuth 2 Client Credentials",
+			"protocolProfileBehavior": {
+				"disableBodyPruning": true
+			},
+			"request": {
+				"auth": {
+					"type": "oauth2",
+					"oauth2": [
+						{
+							"key": "grant_type",
+							"value": "client_credentials",
+							"type": "string"
+						},
+						{
+							"key": "password",
+							"value": "password",
+							"type": "string"
+						},
+						{
+							"key": "username",
+							"value": "username",
+							"type": "string"
+						},
+						{
+							"key": "clientSecret",
+							"value": "clientsecret",
+							"type": "string"
+						},
+						{
+							"key": "clientId",
+							"value": "clientid",
+							"type": "string"
+						},
+						{
+							"key": "client_authentication",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "redirect_uri",
+							"value": "https://yaak.app/x/echo",
+							"type": "string"
+						},
+						{
+							"key": "useBrowser",
+							"value": false,
+							"type": "boolean"
+						},
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "challengeAlgorithm",
+							"value": "S256",
+							"type": "string"
+						},
+						{
+							"key": "refreshTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "state",
+							"value": "state",
+							"type": "string"
+						},
+						{
+							"key": "scope",
+							"value": "scope",
+							"type": "string"
+						},
+						{
+							"key": "code_verifier",
+							"value": "verifier",
+							"type": "string"
+						},
+						{
+							"key": "authUrl",
+							"value": "https://github.com/login/oauth/authorize",
+							"type": "string"
+						},
+						{
+							"key": "accessTokenUrl",
+							"value": "https://github.com/login/oauth/access_token",
+							"type": "string"
+						},
+						{
+							"key": "tokenName",
+							"value": "name",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"body": {
+					"mode": "raw",
+					"raw": "{\n    \"hello\": \"world\"\n}",
+					"options": {
+						"raw": {
+							"language": "json"
+						}
+					}
+				},
+				"url": {
+					"raw": "{{vault:hello}}",
+					"host": [
+						"{{vault:hello}}"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "AWS V4",
+			"request": {
+				"auth": {
+					"type": "awsv4",
+					"awsv4": [
+						{
+							"key": "sessionToken",
+							"value": "session",
+							"type": "string"
+						},
+						{
+							"key": "service",
+							"value": "s3",
+							"type": "string"
+						},
+						{
+							"key": "region",
+							"value": "us-west-1",
+							"type": "string"
+						},
+						{
+							"key": "secretKey",
+							"value": "secret",
+							"type": "string"
+						},
+						{
+							"key": "accessKey",
+							"value": "access",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://yaak.app/x/echo",
+					"protocol": "https",
+					"host": [
+						"yaak",
+						"app"
+					],
+					"path": [
+						"x",
+						"echo"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "API Key",
+			"request": {
+				"auth": {
+					"type": "apikey",
+					"apikey": [
+						{
+							"key": "in",
+							"value": "query",
+							"type": "string"
+						},
+						{
+							"key": "value",
+							"value": "value",
+							"type": "string"
+						},
+						{
+							"key": "key",
+							"value": "key",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://yaak.app/x/echo",
+					"protocol": "https",
+					"host": [
+						"yaak",
+						"app"
+					],
+					"path": [
+						"x",
+						"echo"
+					]
+				}
+			},
+			"response": []
+		},
+		{
+			"name": "JWT",
+			"request": {
+				"auth": {
+					"type": "jwt",
+					"jwt": [
+						{
+							"key": "header",
+							"value": "{\n    \"header\": \"foo\"\n}",
+							"type": "string"
+						},
+						{
+							"key": "headerPrefix",
+							"value": "Bearer",
+							"type": "string"
+						},
+						{
+							"key": "payload",
+							"value": "{\n    \"my\": \"payload\"\n}",
+							"type": "string"
+						},
+						{
+							"key": "isSecretBase64Encoded",
+							"value": false,
+							"type": "boolean"
+						},
+						{
+							"key": "secret",
+							"value": "mysecret",
+							"type": "string"
+						},
+						{
+							"key": "algorithm",
+							"value": "HS384",
+							"type": "string"
+						},
+						{
+							"key": "addTokenTo",
+							"value": "header",
+							"type": "string"
+						},
+						{
+							"key": "queryParamKey",
+							"value": "token",
+							"type": "string"
+						}
+					]
+				},
+				"method": "GET",
+				"header": [],
+				"url": {
+					"raw": "https://yaak.app/x/echo",
+					"protocol": "https",
+					"host": [
+						"yaak",
+						"app"
+					],
+					"path": [
+						"x",
+						"echo"
+					]
+				}
+			},
+			"response": []
+		}
+	],
+	"auth": {
+		"type": "basic",
+		"basic": [
+			{
+				"key": "password",
+				"value": "workspace_secret",
+				"type": "string"
+			},
+			{
+				"key": "username",
+				"value": "workspace",
+				"type": "string"
+			}
+		]
+	},
+	"event": [
+		{
+			"listen": "prerequest",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"requests": {},
+				"exec": [
+					""
+				]
+			}
+		},
+		{
+			"listen": "test",
+			"script": {
+				"type": "text/javascript",
+				"packages": {},
+				"requests": {},
+				"exec": [
+					""
+				]
+			}
+		}
+	],
+	"variable": [
+		{
+			"key": "COLLECTION VARIABLE",
+			"value": "collection variable"
+		}
+	]
+}
--- a/plugins/importer-postman/tests/fixtures/auth.output.json
+++ b/plugins/importer-postman/tests/fixtures/auth.output.json
@@ -0,0 +1,304 @@
+{
+  "resources": {
+    "workspaces": [
+      {
+        "model": "workspace",
+        "id": "GENERATE_ID::WORKSPACE_0",
+        "name": "Authentication",
+        "authenticationType": "basic",
+        "authentication": {
+          "username": "workspace",
+          "password": "workspace_secret"
+        }
+      }
+    ],
+    "environments": [
+      {
+        "model": "environment",
+        "id": "GENERATE_ID::ENVIRONMENT_0",
+        "name": "Global Variables",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "parentModel": "workspace",
+        "parentId": null,
+        "variables": [
+          {
+            "name": "COLLECTION VARIABLE",
+            "value": "collection variable"
+          }
+        ]
+      }
+    ],
+    "httpRequests": [
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_0",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "No Auth",
+        "method": "GET",
+        "url": "https://yaak.app/x/echo",
+        "urlParameters": [],
+        "body": {},
+        "bodyType": null,
+        "sortPriority": 0,
+        "headers": [],
+        "authenticationType": "none",
+        "authentication": {}
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_1",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "Inherit",
+        "method": "GET",
+        "url": "https://yaak.app/x/echo",
+        "urlParameters": [],
+        "body": {},
+        "bodyType": null,
+        "sortPriority": 1,
+        "headers": [],
+        "authenticationType": null,
+        "authentication": {}
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_2",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "OAuth 2 Auth Code",
+        "method": "GET",
+        "url": "${[hello]}",
+        "urlParameters": [],
+        "body": {
+          "text": "{\n    \"hello\": \"world\"\n}"
+        },
+        "bodyType": "application/json",
+        "sortPriority": 2,
+        "headers": [
+          {
+            "name": "Content-Type",
+            "value": "application/json",
+            "enabled": true
+          }
+        ],
+        "authenticationType": "oauth2",
+        "authentication": {
+          "name": "oauth2",
+          "grantType": "authorization_code",
+          "clientId": "cliend id",
+          "headerPrefix": "Bearer",
+          "scope": "scope",
+          "clientSecret": "clientsecet",
+          "authorizationUrl": "https://github.com/login/oauth/authorize",
+          "accessTokenUrl": "https://github.com/login/oauth/access_token",
+          "redirectUri": "https://callback",
+          "state": "state"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_3",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "OAuth 2 Auth Code (PKCE)",
+        "method": "GET",
+        "url": "${[hello]}",
+        "urlParameters": [],
+        "body": {
+          "text": "{\n    \"hello\": \"world\"\n}"
+        },
+        "bodyType": "application/json",
+        "sortPriority": 3,
+        "headers": [
+          {
+            "name": "Content-Type",
+            "value": "application/json",
+            "enabled": true
+          }
+        ],
+        "authenticationType": "oauth2",
+        "authentication": {
+          "name": "oauth2",
+          "grantType": "authorization_code",
+          "clientId": "cliend id",
+          "headerPrefix": "Bearer",
+          "scope": "scope",
+          "clientSecret": "clientsecet",
+          "authorizationUrl": "https://github.com/login/oauth/authorize",
+          "accessTokenUrl": "https://github.com/login/oauth/access_token",
+          "redirectUri": "https://callback",
+          "state": "state",
+          "usePkce": true,
+          "pkceChallengeMethod": "S256",
+          "pkceCodeVerifier": "verifier"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_4",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "OAuth 2 Implicit",
+        "method": "GET",
+        "url": "${[hello]}",
+        "urlParameters": [],
+        "body": {
+          "text": "{\n    \"hello\": \"world\"\n}"
+        },
+        "bodyType": "application/json",
+        "sortPriority": 4,
+        "headers": [
+          {
+            "name": "Content-Type",
+            "value": "application/json",
+            "enabled": true
+          }
+        ],
+        "authenticationType": "oauth2",
+        "authentication": {
+          "name": "oauth2",
+          "grantType": "implicit",
+          "clientId": "cliend id",
+          "headerPrefix": "Bearer",
+          "scope": "scope",
+          "authorizationUrl": "https://github.com/login/oauth/authorize",
+          "redirectUri": "https://yaak.app/x/echo",
+          "state": "state"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_5",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "OAuth 2 Password",
+        "method": "GET",
+        "url": "${[hello]}",
+        "urlParameters": [],
+        "body": {
+          "text": "{\n    \"hello\": \"world\"\n}"
+        },
+        "bodyType": "application/json",
+        "sortPriority": 5,
+        "headers": [
+          {
+            "name": "Content-Type",
+            "value": "application/json",
+            "enabled": true
+          }
+        ],
+        "authenticationType": "oauth2",
+        "authentication": {
+          "name": "oauth2",
+          "grantType": "password",
+          "clientId": "clientid",
+          "headerPrefix": "Bearer",
+          "scope": "scope",
+          "clientSecret": "clientsecret",
+          "accessTokenUrl": "https://github.com/login/oauth/access_token",
+          "username": "username",
+          "password": "password"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_6",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "OAuth 2 Client Credentials",
+        "method": "GET",
+        "url": "${[hello]}",
+        "urlParameters": [],
+        "body": {
+          "text": "{\n    \"hello\": \"world\"\n}"
+        },
+        "bodyType": "application/json",
+        "sortPriority": 6,
+        "headers": [
+          {
+            "name": "Content-Type",
+            "value": "application/json",
+            "enabled": true
+          }
+        ],
+        "authenticationType": "oauth2",
+        "authentication": {
+          "name": "oauth2",
+          "grantType": "client_credentials",
+          "clientId": "clientid",
+          "headerPrefix": "Bearer",
+          "scope": "scope",
+          "clientSecret": "clientsecret",
+          "accessTokenUrl": "https://github.com/login/oauth/access_token"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_7",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "AWS V4",
+        "method": "GET",
+        "url": "https://yaak.app/x/echo",
+        "urlParameters": [],
+        "body": {},
+        "bodyType": null,
+        "sortPriority": 7,
+        "headers": [],
+        "authenticationType": "awsv4",
+        "authentication": {
+          "accessKeyId": "access",
+          "secretAccessKey": "secret",
+          "sessionToken": "session",
+          "region": "us-west-1",
+          "service": "s3"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_8",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "API Key",
+        "method": "GET",
+        "url": "https://yaak.app/x/echo",
+        "urlParameters": [],
+        "body": {},
+        "bodyType": null,
+        "sortPriority": 8,
+        "headers": [],
+        "authenticationType": "apikey",
+        "authentication": {
+          "location": "query",
+          "key": "value",
+          "value": "key"
+        }
+      },
+      {
+        "model": "http_request",
+        "id": "GENERATE_ID::HTTP_REQUEST_9",
+        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "folderId": null,
+        "name": "JWT",
+        "method": "GET",
+        "url": "https://yaak.app/x/echo",
+        "urlParameters": [],
+        "body": {},
+        "bodyType": null,
+        "sortPriority": 9,
+        "headers": [],
+        "authenticationType": "jwt",
+        "authentication": {
+          "algorithm": "HS384",
+          "secret": "mysecret",
+          "secretBase64": false,
+          "payload": "{\n    \"my\": \"payload\"\n}",
+          "headerPrefix": "Bearer",
+          "location": "header"
+        }
+      }
+    ],
+    "folders": []
+  }
+}
--- a/plugins/importer-postman/tests/fixtures/nested.output.json
+++ b/plugins/importer-postman/tests/fixtures/nested.output.json
@@ -3,24 +3,28 @@
    "workspaces": [
      {
        "model": "workspace",
-        "id": "GENERATE_ID::WORKSPACE_0",
-        "name": "New Collection"
+        "id": "GENERATE_ID::WORKSPACE_1",
+        "name": "New Collection",
+        "authenticationType": null,
+        "authentication": {}
      }
    ],
    "environments": [
      {
-        "id": "GENERATE_ID::ENVIRONMENT_0",
        "model": "environment",
+        "id": "GENERATE_ID::ENVIRONMENT_1",
        "name": "Global Variables",
-        "variables": [],
-        "workspaceId": "GENERATE_ID::WORKSPACE_0"
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
+        "parentModel": "workspace",
+        "parentId": null,
+        "variables": []
      }
    ],
    "httpRequests": [
      {
        "model": "http_request",
-        "id": "GENERATE_ID::HTTP_REQUEST_0",
-        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "id": "GENERATE_ID::HTTP_REQUEST_10",
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "folderId": "GENERATE_ID::FOLDER_1",
        "name": "Request 1",
        "method": "GET",
@@ -28,14 +32,15 @@
        "urlParameters": [],
        "body": {},
        "bodyType": null,
-        "authentication": {},
+        "sortPriority": 2,
+        "headers": [],
        "authenticationType": null,
-        "headers": []
+        "authentication": {}
      },
      {
        "model": "http_request",
-        "id": "GENERATE_ID::HTTP_REQUEST_1",
-        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "id": "GENERATE_ID::HTTP_REQUEST_11",
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "folderId": "GENERATE_ID::FOLDER_0",
        "name": "Request 2",
        "method": "GET",
@@ -43,14 +48,15 @@
        "urlParameters": [],
        "body": {},
        "bodyType": null,
-        "authentication": {},
+        "sortPriority": 3,
+        "headers": [],
        "authenticationType": null,
-        "headers": []
+        "authentication": {}
      },
      {
        "model": "http_request",
-        "id": "GENERATE_ID::HTTP_REQUEST_2",
-        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "id": "GENERATE_ID::HTTP_REQUEST_12",
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "folderId": null,
        "name": "Request 3",
        "method": "GET",
@@ -58,22 +64,25 @@
        "urlParameters": [],
        "body": {},
        "bodyType": null,
-        "authentication": {},
+        "sortPriority": 4,
+        "headers": [],
        "authenticationType": null,
-        "headers": []
+        "authentication": {}
      }
    ],
    "folders": [
      {
        "model": "folder",
-        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "sortPriority": 0,
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "id": "GENERATE_ID::FOLDER_0",
        "name": "Top Folder",
        "folderId": null
      },
      {
        "model": "folder",
-        "workspaceId": "GENERATE_ID::WORKSPACE_0",
+        "sortPriority": 1,
+        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "id": "GENERATE_ID::FOLDER_1",
        "name": "Nested Folder",
        "folderId": "GENERATE_ID::FOLDER_0"
--- a/plugins/importer-postman/tests/fixtures/params.input.json
+++ b/plugins/importer-postman/tests/fixtures/params.input.json
@@ -14,7 +14,7 @@
          "bearer": [
            {
              "key": "token",
-              "value": "baeare",
+              "value": "my-token",
              "type": "string"
            }
          ]
--- a/plugins/importer-postman/tests/fixtures/params.output.json
+++ b/plugins/importer-postman/tests/fixtures/params.output.json
@@ -3,16 +3,23 @@
    "workspaces": [
      {
        "model": "workspace",
-        "id": "GENERATE_ID::WORKSPACE_1",
-        "name": "New Collection"
+        "id": "GENERATE_ID::WORKSPACE_2",
+        "name": "New Collection",
+        "authenticationType": "basic",
+        "authentication": {
+          "username": "globaluser",
+          "password": "globalpass"
+        }
      }
    ],
    "environments": [
      {
-        "id": "GENERATE_ID::ENVIRONMENT_1",
-        "workspaceId": "GENERATE_ID::WORKSPACE_1",
        "model": "environment",
+        "id": "GENERATE_ID::ENVIRONMENT_2",
        "name": "Global Variables",
+        "workspaceId": "GENERATE_ID::WORKSPACE_2",
+        "parentModel": "workspace",
+        "parentId": null,
        "variables": [
          {
            "name": "COLLECTION VARIABLE",
@@ -24,8 +31,8 @@
    "httpRequests": [
      {
        "model": "http_request",
-        "id": "GENERATE_ID::HTTP_REQUEST_3",
-        "workspaceId": "GENERATE_ID::WORKSPACE_1",
+        "id": "GENERATE_ID::HTTP_REQUEST_13",
+        "workspaceId": "GENERATE_ID::WORKSPACE_2",
        "folderId": null,
        "name": "Form URL",
        "method": "POST",
@@ -68,10 +75,7 @@
          ]
        },
        "bodyType": "multipart/form-data",
-        "authentication": {
-          "token": ""
-        },
-        "authenticationType": "bearer",
+        "sortPriority": 0,
        "headers": [
          {
            "name": "X-foo",
@@ -88,7 +92,11 @@
            "value": "multipart/form-data",
            "enabled": true
          }
-        ]
+        ],
+        "authenticationType": "bearer",
+        "authentication": {
+          "token": "my-token"
+        }
      }
    ],
    "folders": []
--- a/plugins/importer-postman/tests/index.test.ts
+++ b/plugins/importer-postman/tests/index.test.ts
@@ -17,7 +17,9 @@ describe('importer-postman', () => {
      const expected = fs.readFileSync(path.join(p, fixture.replace('.input', '.output')), 'utf-8');
      const result = convertPostman(contents);
      // console.log(JSON.stringify(result, null, 2))
-      expect(result).toEqual(JSON.parse(expected));
+      expect(JSON.stringify(result, null, 2)).toEqual(
+        JSON.stringify(JSON.parse(expected), null, 2),
+      );
    });
  }
 });
--- a/plugins/importer-yaak/package.json
+++ b/plugins/importer-yaak/package.json
@@ -7,6 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/importer-yaak/src/index.ts
+++ b/plugins/importer-yaak/src/index.ts
@@ -66,7 +66,20 @@ export function migrateImport(contents: string) {
    }
  }

-  return { resources: parsed.resources }; // Should already be in the correct format
+  // Migrate v4 to v5
+  for (const environment of parsed.resources.environments ?? []) {
+    if ('base' in environment && environment.base && environment.parentModel == null) {
+      environment.parentModel = 'workspace';
+      environment.parentId = null;
+      delete environment.base;
+    } else if ('base' in environment && !environment.base && environment.parentModel == null) {
+      environment.parentModel = 'environment';
+      environment.parentId = null;
+      delete environment.base;
+    }
+  }
+
+  return { resources: parsed.resources };
 }

 function isJSObject(obj: unknown) {
--- a/plugins/importer-yaak/tests/index.test.ts
+++ b/plugins/importer-yaak/tests/index.test.ts
@@ -31,16 +31,20 @@ describe('importer-yaak', () => {
      JSON.stringify({
        yaakSchema: 2,
        resources: {
-          environments: [{
-            id: 'e_1',
-            workspaceId: 'w_1',
-            name: 'Production',
-            variables: [{ name: 'E1', value: 'E1!' }],
-          }],
-          workspaces: [{
-            id: 'w_1',
-            variables: [{ name: 'W1', value: 'W1!' }],
-          }],
+          environments: [
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              name: 'Production',
+              variables: [{ name: 'E1', value: 'E1!' }],
+            },
+          ],
+          workspaces: [
+            {
+              id: 'w_1',
+              variables: [{ name: 'W1', value: 'W1!' }],
+            },
+          ],
        },
      }),
    );
@@ -48,21 +52,98 @@ describe('importer-yaak', () => {
    expect(imported).toEqual(
      expect.objectContaining({
        resources: {
-          workspaces: [{
-            id: 'w_1',
-          }],
-          environments: [{
-            id: 'e_1',
-            base: false,
-            workspaceId: 'w_1',
-            name: 'Production',
-            variables: [{ name: 'E1', value: 'E1!' }],
-          }, {
-            id: 'GENERATE_ID::base_env_w_1',
-            workspaceId: 'w_1',
-            name: 'Global Variables',
-            variables: [{ name: 'W1', value: 'W1!' }],
-          }],
+          workspaces: [
+            {
+              id: 'w_1',
+            },
+          ],
+          environments: [
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              name: 'Production',
+              variables: [{ name: 'E1', value: 'E1!' }],
+              parentModel: 'environment',
+              parentId: null,
+            },
+            {
+              id: 'GENERATE_ID::base_env_w_1',
+              workspaceId: 'w_1',
+              name: 'Global Variables',
+              variables: [{ name: 'W1', value: 'W1!' }],
+            },
+          ],
+        },
+      }),
+    );
+  });
+
+  test('converts schema 4 to 5', () => {
+    const imported = migrateImport(
+      JSON.stringify({
+        yaakSchema: 2,
+        resources: {
+          environments: [
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              base: false,
+              name: 'Production',
+              variables: [{ name: 'E1', value: 'E1!' }],
+            },
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              base: true,
+              name: 'Global Variables',
+              variables: [{ name: 'G1', value: 'G1!' }],
+            },
+          ],
+          folders: [
+            {
+              id: 'f_1',
+            },
+          ],
+          workspaces: [
+            {
+              id: 'w_1',
+            },
+          ],
+        },
+      }),
+    );
+
+    expect(imported).toEqual(
+      expect.objectContaining({
+        resources: {
+          workspaces: [
+            {
+              id: 'w_1',
+            },
+          ],
+          folders: [
+            {
+              id: 'f_1',
+            },
+          ],
+          environments: [
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              name: 'Production',
+              variables: [{ name: 'E1', value: 'E1!' }],
+              parentModel: 'environment',
+              parentId: null,
+            },
+            {
+              id: 'e_1',
+              workspaceId: 'w_1',
+              name: 'Global Variables',
+              parentModel: 'workspace',
+              parentId: null,
+              variables: [{ name: 'G1', value: 'G1!' }],
+            },
+          ],
        },
      }),
    );
--- a/plugins/template-function-cookie/package.json
+++ b/plugins/template-function-cookie/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-encode/package.json
+++ b/plugins/template-function-encode/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-encode/src/index.ts
+++ b/plugins/template-function-encode/src/index.ts
@@ -5,9 +5,29 @@ export const plugin: PluginDefinition = {
    {
      name: 'base64.encode',
      description: 'Encode a value to base64',
-      args: [{ label: 'Plain Text', type: 'text', name: 'value', multiLine: true }],
+      args: [
+        {
+          label: 'Encoding',
+          type: 'select',
+          name: 'encoding',
+          defaultValue: 'base64',
+          options: [
+            {
+              label: 'Base64',
+              value: 'base64',
+            },
+            {
+              label: 'Base64 URL-safe',
+              value: 'base64url',
+            },
+          ],
+        },
+        { label: 'Plain Text', type: 'text', name: 'value', multiLine: true },
+      ],
      async onRender(_ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
-        return Buffer.from(String(args.values.value ?? '')).toString('base64');
+        return Buffer.from(String(args.values.value ?? '')).toString(
+          args.values.encoding === 'base64url' ? 'base64url' : 'base64',
+        );
      },
    },
    {
--- a/plugins/template-function-fs/package.json
+++ b/plugins/template-function-fs/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-fs/src/index.ts
+++ b/plugins/template-function-fs/src/index.ts
@@ -1,17 +1,39 @@
 import type { CallTemplateFunctionArgs, Context, PluginDefinition } from '@yaakapp/api';
 import fs from 'node:fs';

+const options = [
+  { label: 'ASCII', value: 'ascii' },
+  { label: 'UTF-8', value: 'utf8' },
+  { label: 'UTF-16 LE', value: 'utf16le' },
+  { label: 'Base64', value: 'base64' },
+  { label: 'Base64 URL-safe', value: 'base64url' },
+  { label: 'Latin-1', value: 'latin1' },
+  { label: 'Hexadecimal', value: 'hex' },
+];
 export const plugin: PluginDefinition = {
  templateFunctions: [
    {
      name: 'fs.readFile',
      description: 'Read the contents of a file as utf-8',
-      args: [{ title: 'Select File', type: 'file', name: 'path', label: 'File' }],
+      args: [
+        { title: 'Select File', type: 'file', name: 'path', label: 'File' },
+        {
+          title: 'Select encoding',
+          type: 'select',
+          name: 'encoding',
+          label: 'Encoding',
+          defaultValue: 'utf8',
+          description: 'Specifies how the file’s bytes are decoded into text when read',
+          options,
+        },
+      ],
      async onRender(_ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
-        if (!args.values.path) return null;
+        if (!args.values.path || !args.values.encoding) return null;

        try {
-          return fs.promises.readFile(String(args.values.path ?? ''), 'utf-8');
+          return fs.promises.readFile(String(args.values.path ?? ''), {
+            encoding: String(args.values.encoding ?? 'utf-8') as BufferEncoding,
+          });
        } catch {
          return null;
        }
--- a/plugins/template-function-hash/package.json
+++ b/plugins/template-function-hash/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-json/package.json
+++ b/plugins/template-function-json/package.json
@@ -7,7 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "jsonpath-plus": "^10.3.0"
--- a/plugins/template-function-prompt/package.json
+++ b/plugins/template-function-prompt/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-random/package.json
+++ b/plugins/template-function-random/package.json
@@ -0,0 +1,12 @@
+{
+  "name": "@yaak/template-function-random",
+  "displayName": "Random Template Functions",
+  "description": "Template functions for generating random values",
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
+  }
+}
--- a/plugins/template-function-random/src/index.ts
+++ b/plugins/template-function-random/src/index.ts
@@ -0,0 +1,43 @@
+import type { CallTemplateFunctionArgs, Context, PluginDefinition } from '@yaakapp/api';
+
+export const plugin: PluginDefinition = {
+  templateFunctions: [
+    {
+      name: 'random.range',
+      description: 'Generate a random number between two values',
+      args: [
+        {
+          type: 'text',
+          name: 'min',
+          label: 'Minimum',
+          defaultValue: '0',
+        },
+        {
+          type: 'text',
+          name: 'max',
+          label: 'Maximum',
+          defaultValue: '1',
+        },
+        {
+          type: 'text',
+          name: 'decimals',
+          optional: true,
+          label: 'Decimal Places',
+        },
+      ],
+      async onRender(_ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
+        const min = args.values.min ? parseInt(String(args.values.min ?? '0')) : 0;
+        const max = args.values.max ? parseInt(String(args.values.max ?? '1')) : 1;
+        const decimals = args.values.decimals
+          ? parseInt(String(args.values.decimals ?? '0'))
+          : null;
+
+        let value = Math.random() * (max - min) + min;
+        if (decimals !== null) {
+          value = Math.round(value * Math.pow(10, decimals)) / Math.pow(10, decimals);
+        }
+        return String(value);
+      },
+    },
+  ],
+};
--- a/plugins/template-function-random/tsconfig.json
+++ b/plugins/template-function-random/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
--- a/plugins/template-function-regex/package.json
+++ b/plugins/template-function-regex/package.json
@@ -7,6 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
  }
 }
--- a/plugins/template-function-regex/src/index.ts
+++ b/plugins/template-function-regex/src/index.ts
@@ -1,32 +1,74 @@
+import type { TemplateFunctionArg } from '@yaakapp-internal/plugins';
 import type { CallTemplateFunctionArgs, Context, PluginDefinition } from '@yaakapp/api';

+const inputArg: TemplateFunctionArg = {
+  type: 'text',
+  name: 'input',
+  label: 'Input Text',
+  multiLine: true,
+};
+
+const regexArg: TemplateFunctionArg = {
+  type: 'text',
+  name: 'regex',
+  label: 'Regular Expression',
+  placeholder: '\\w+',
+  defaultValue: '.*',
+  description:
+    'A JavaScript regular expression. Use a capture group to reference parts of the match in the replacement.',
+};
+
 export const plugin: PluginDefinition = {
  templateFunctions: [
    {
      name: 'regex.match',
-      description: 'Extract',
-      args: [
-        {
-          type: 'text',
-          name: 'regex',
-          label: 'Regular Expression',
-          placeholder: '^\\w+=(?<value>\\w*)$',
-          defaultValue: '^(.*)$',
-          description:
-            'A JavaScript regular expression, evaluated using the Node.js RegExp engine. Capture groups or named groups can be used to extract values.',
-        },
-        { type: 'text', name: 'input', label: 'Input Text', multiLine: true },
-      ],
+      description: 'Extract text using a regular expression',
+      args: [inputArg, regexArg],
      async onRender(_ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
-        if (!args.values.regex || !args.values.input) return '';
+        const input = String(args.values.input ?? '');
+        const regex = new RegExp(String(args.values.regex ?? ''));

-        const input = String(args.values.input);
-        const regex = new RegExp(String(args.values.regex));
        const match = input.match(regex);
        return match?.groups
          ? (Object.values(match.groups)[0] ?? '')
          : (match?.[1] ?? match?.[0] ?? '');
      },
    },
+    {
+      name: 'regex.replace',
+      description: 'Replace text using a regular expression',
+      args: [
+        inputArg,
+        regexArg,
+        {
+          type: 'text',
+          name: 'replacement',
+          label: 'Replacement Text',
+          placeholder: 'hello $1',
+          description:
+            'The replacement text. Use $1, $2, ... to reference capture groups or $& to reference the entire match.',
+        },
+        {
+          type: 'text',
+          name: 'flags',
+          label: 'Flags',
+          placeholder: 'g',
+          defaultValue: 'g',
+          optional: true,
+          description:
+            'Regular expression flags (g for global, i for case-insensitive, m for multiline, etc.)',
+        },
+      ],
+      async onRender(_ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
+        const input = String(args.values.input ?? '');
+        const replacement = String(args.values.replacement ?? '');
+        const flags = String(args.values.flags || '');
+        const regex = String(args.values.regex);
+
+        if (!regex) return '';
+
+        return input.replace(new RegExp(String(args.values.regex), flags), replacement);
+      },
+    },
  ],
 };
--- a/plugins/template-function-regex/tests/regex.test.ts
+++ b/plugins/template-function-regex/tests/regex.test.ts
@@ -0,0 +1,194 @@
+import { describe, expect, it } from 'vitest';
+import type { Context } from '@yaakapp/api';
+import { plugin } from '../src';
+
+describe('regex.match', () => {
+  const matchFunction = plugin.templateFunctions!.find(f => f.name === 'regex.match');
+
+  it('should exist', () => {
+    expect(matchFunction).toBeDefined();
+  });
+
+  it('should extract first capture group', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Hello (\\w+)',
+        input: 'Hello World',
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('World');
+  });
+
+  it('should extract named capture group', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Hello (?<name>\\w+)',
+        input: 'Hello World',
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('World');
+  });
+
+  it('should return full match when no capture groups', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Hello \\w+',
+        input: 'Hello World'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hello World');
+  });
+
+  it('should return empty string when no match', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Goodbye',
+        input: 'Hello World'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('');
+  });
+
+  it('should return empty string when regex is empty', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: '',
+        input: 'Hello World'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('');
+  });
+
+  it('should return empty string when input is empty', async () => {
+    const result = await matchFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Hello',
+        input: ''
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('');
+  });
+});
+
+describe('regex.replace', () => {
+  const replaceFunction = plugin.templateFunctions!.find(f => f.name === 'regex.replace');
+
+  it('should exist', () => {
+    expect(replaceFunction).toBeDefined();
+  });
+
+  it('should replace one occurrence by default', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'o',
+        input: 'Hello World',
+        replacement: 'a'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hella World');
+  });
+
+  it('should replace with capture groups', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: '(\\w+) (\\w+)',
+        input: 'Hello World',
+        replacement: '$2 $1'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('World Hello');
+  });
+
+  it('should replace with full match reference', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'World',
+        input: 'Hello World',
+        replacement: '[$&]'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hello [World]');
+  });
+
+  it('should respect flags parameter', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'hello',
+        input: 'Hello World',
+        replacement: 'Hi',
+        flags: 'i'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hi World');
+  });
+
+  it('should handle empty replacement', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'World',
+        input: 'Hello World',
+        replacement: ''
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hello ');
+  });
+
+  it('should return original input when no match', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Goodbye',
+        input: 'Hello World',
+        replacement: 'Hi'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('Hello World');
+  });
+
+  it('should return empty string when regex is empty', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: '',
+        input: 'Hello World',
+        replacement: 'Hi'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('');
+  });
+
+  it('should return empty string when input is empty', async () => {
+    const result = await replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: 'Hello',
+        input: '',
+        replacement: 'Hi'
+      },
+      purpose: 'send',
+    });
+    expect(result).toBe('');
+  });
+
+  it('should throw on invalid regex', async () => {
+    const fn = replaceFunction!.onRender({} as Context, {
+      values: {
+        regex: '[',
+        input: 'Hello World',
+        replacement: 'Hi'
+      },
+      purpose: 'send',
+    });
+    await expect(fn).rejects.toThrow('Invalid regular expression: /[/: Unterminated character class');
+  });
+});
--- a/plugins/template-function-request/package.json
+++ b/plugins/template-function-request/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/template-function-request/src/index.ts
+++ b/plugins/template-function-request/src/index.ts
@@ -1,4 +1,4 @@
-import type { HttpUrlParameter } from '@yaakapp-internal/models';
+import type { AnyModel, HttpUrlParameter } from '@yaakapp-internal/models';
 import type { CallTemplateFunctionArgs, Context, PluginDefinition } from '@yaakapp/api';

 export const plugin: PluginDefinition = {
@@ -96,5 +96,59 @@ export const plugin: PluginDefinition = {
        return renderedValue;
      },
    },
+    {
+      name: 'request.name',
+      args: [
+        {
+          name: 'requestId',
+          label: 'Http Request',
+          type: 'http_request',
+        },
+      ],
+      async onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
+        const requestId = String(args.values.requestId ?? 'n/a');
+        const httpRequest = await ctx.httpRequest.getById({ id: requestId });
+        if (httpRequest == null) return null;
+
+        return resolvedModelName(httpRequest);
+      },
+    },
  ],
 };
+
+// TODO: Use a common function for this, but it fails to build on windows during CI if I try importing it here
+export function resolvedModelName(r: AnyModel | null): string {
+  if (r == null) return '';
+
+  if (!('url' in r) || r.model === 'plugin') {
+    return 'name' in r ? r.name : '';
+  }
+
+  // Return name if it has one
+  if ('name' in r && r.name) {
+    return r.name;
+  }
+
+  // Replace variable syntax with variable name
+  const withoutVariables = r.url.replace(/\$\{\[\s*([^\]\s]+)\s*]}/g, '$1');
+  if (withoutVariables.trim() === '') {
+    return r.model === 'http_request'
+      ? r.bodyType && r.bodyType === 'graphql'
+        ? 'GraphQL Request'
+        : 'HTTP Request'
+      : r.model === 'websocket_request'
+        ? 'WebSocket Request'
+        : 'gRPC Request';
+  }
+
+  // GRPC gets nice short names
+  if (r.model === 'grpc_request' && r.service != null && r.method != null) {
+    const shortService = r.service.split('.').pop();
+    return `${shortService}/${r.method}`;
+  }
+
+  // Strip unnecessary protocol
+  const withoutProto = withoutVariables.replace(/^(http|https|ws|wss):\/\//, '');
+
+  return withoutProto;
+}
--- a/plugins/template-function-response/package.json
+++ b/plugins/template-function-response/package.json
@@ -7,7 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "jsonpath-plus": "^10.3.0",
--- a/plugins/template-function-response/src/index.ts
+++ b/plugins/template-function-response/src/index.ts
@@ -3,25 +3,44 @@ import type {
  CallTemplateFunctionArgs,
  Context,
  FormInput,
+  GetHttpAuthenticationConfigRequest,
  HttpResponse,
  PluginDefinition,
  RenderPurpose,
 } from '@yaakapp/api';
+import type { DynamicTemplateFunctionArg } from '@yaakapp/api/lib/plugins/TemplateFunctionPlugin';
 import { JSONPath } from 'jsonpath-plus';
 import { readFileSync } from 'node:fs';
 import xpath from 'xpath';

+const BEHAVIOR_TTL = 'ttl';
+const BEHAVIOR_ALWAYS = 'always';
+const BEHAVIOR_SMART = 'smart';
+
 const behaviorArg: FormInput = {
  type: 'select',
  name: 'behavior',
  label: 'Sending Behavior',
  defaultValue: 'smart',
  options: [
-    { label: 'When no responses', value: 'smart' },
-    { label: 'Always', value: 'always' },
+    { label: 'When no responses', value: BEHAVIOR_SMART },
+    { label: 'Always', value: BEHAVIOR_ALWAYS },
+    { label: 'When expired', value: BEHAVIOR_TTL },
  ],
 };

+const ttlArg: DynamicTemplateFunctionArg = {
+  type: 'text',
+  name: 'ttl',
+  label: 'Expiration Time (seconds)',
+  placeholder: '0',
+  description: 'Resend the request when the latest response is older than this many seconds, or if there are no responses yet.',
+  dynamic(_ctx: Context, { values }: GetHttpAuthenticationConfigRequest) {
+    const show = values.behavior === BEHAVIOR_TTL;
+    return { hidden: !show };
+  },
+};
+
 const requestArg: FormInput = {
  type: 'http_request',
  name: 'request',
@@ -42,6 +61,7 @@ export const plugin: PluginDefinition = {
          placeholder: 'Content-Type',
        },
        behaviorArg,
+        ttlArg,
      ],
      async onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
        if (!args.values.request || !args.values.header) return null;
@@ -50,6 +70,7 @@ export const plugin: PluginDefinition = {
          requestId: String(args.values.request || ''),
          purpose: args.purpose,
          behavior: args.values.behavior ? String(args.values.behavior) : null,
+          ttl: String(args.values.ttl || ''),
        });
        if (response == null) return null;

@@ -72,6 +93,7 @@ export const plugin: PluginDefinition = {
          placeholder: '$.books[0].id or /books[0]/id',
        },
        behaviorArg,
+        ttlArg,
      ],
      async onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
        if (!args.values.request || !args.values.path) return null;
@@ -80,6 +102,7 @@ export const plugin: PluginDefinition = {
          requestId: String(args.values.request || ''),
          purpose: args.purpose,
          behavior: args.values.behavior ? String(args.values.behavior) : null,
+          ttl: String(args.values.ttl || ''),
        });
        if (response == null) return null;

@@ -113,7 +136,7 @@ export const plugin: PluginDefinition = {
      name: 'response.body.raw',
      description: 'Access the entire response body, as text',
      aliases: ['response'],
-      args: [requestArg, behaviorArg],
+      args: [requestArg, behaviorArg, ttlArg],
      async onRender(ctx: Context, args: CallTemplateFunctionArgs): Promise<string | null> {
        if (!args.values.request) return null;

@@ -121,6 +144,7 @@ export const plugin: PluginDefinition = {
          requestId: String(args.values.request || ''),
          purpose: args.purpose,
          behavior: args.values.behavior ? String(args.values.behavior) : null,
+          ttl: String(args.values.ttl || ''),
        });
        if (response == null) return null;

@@ -177,9 +201,11 @@ async function getResponse(
    requestId,
    behavior,
    purpose,
+    ttl,
  }: {
    requestId: string;
    behavior: string | null;
+    ttl: string | null;
    purpose: RenderPurpose;
  },
 ): Promise<HttpResponse | null> {
@@ -203,7 +229,11 @@ async function getResponse(
  const finalBehavior = behavior === 'always' && purpose === 'preview' ? 'smart' : behavior;

  // Send if no responses and "smart," or "always"
-  if ((finalBehavior === 'smart' && response == null) || finalBehavior === 'always') {
+  if (
+    (finalBehavior === 'smart' && response == null) ||
+    finalBehavior === 'always' ||
+    (finalBehavior === BEHAVIOR_TTL && shouldSendExpired(response, ttl))
+  ) {
    // NOTE: Render inside this conditional, or we'll get infinite recursion (render->render->...)
    const renderedHttpRequest = await ctx.httpRequest.render({ httpRequest, purpose });
    response = await ctx.httpRequest.send({ httpRequest: renderedHttpRequest });
@@ -211,3 +241,12 @@ async function getResponse(

  return response;
 }
+
+function shouldSendExpired(response: HttpResponse | null, ttl: string | null): boolean {
+  if (response == null) return true;
+  const ttlSeconds = parseInt(ttl || '0');
+  if (isNaN(ttlSeconds)) throw new Error(`Invalid TTL "${ttl}"`);
+  const nowMillis = Date.now();
+  const respMillis = new Date(response.createdAt + 'Z').getTime();
+  return respMillis + ttlSeconds * 1000 < nowMillis;
+}
--- a/plugins/template-function-timestamp/package.json
+++ b/plugins/template-function-timestamp/package.json
@@ -0,0 +1,15 @@
+{
+  "name": "@yaak/template-function-timestamp",
+  "private": true,
+  "version": "0.1.0",
+  "scripts": {
+    "build": "yaakcli build",
+    "dev": "yaakcli dev",
+    "lint": "tsc --noEmit && eslint . --ext .ts,.tsx",
+    "test": "vitest --run tests"
+  },
+  "dependencies": {
+    "@date-fns/tz": "^1.4.1",
+    "date-fns": "^4.1.0"
+  }
+}
--- a/plugins/template-function-timestamp/src/index.ts
+++ b/plugins/template-function-timestamp/src/index.ts
@@ -0,0 +1,170 @@
+import type { TemplateFunctionArg } from '@yaakapp-internal/plugins';
+import type { PluginDefinition } from '@yaakapp/api';
+
+import type { ContextFn } from 'date-fns';
+import {
+  addDays,
+  addHours,
+  addMinutes,
+  addMonths,
+  addSeconds,
+  addYears,
+  format as formatDate,
+  isValid,
+  parseISO,
+  subDays,
+  subHours,
+  subMinutes,
+  subMonths,
+  subSeconds,
+  subYears,
+} from 'date-fns';
+
+const dateArg: TemplateFunctionArg = {
+  type: 'text',
+  name: 'date',
+  label: 'Timestamp',
+  optional: true,
+  description:
+    'Can be a timestamp in milliseconds, ISO string, or anything parseable by JS `new Date()`',
+  placeholder: new Date().toISOString(),
+};
+
+const expressionArg: TemplateFunctionArg = {
+  type: 'text',
+  name: 'expression',
+  label: 'Expression',
+  description: "Modification expression (eg. '-5d +2h 3m'). Available units: y, M, d, h, m, s",
+  optional: true,
+  placeholder: '-5d +2h 3m',
+};
+
+const formatArg: TemplateFunctionArg = {
+  name: 'format',
+  label: 'Format String',
+  description: "Format string to describe the output (eg. 'yyyy-MM-dd at HH:mm:ss')",
+  optional: true,
+  placeholder: 'yyyy-MM-dd HH:mm:ss',
+  type: 'text',
+};
+
+export const plugin: PluginDefinition = {
+  templateFunctions: [
+    {
+      name: 'timestamp.unix',
+      description: 'Get the timestamp in seconds',
+      args: [dateArg],
+      onRender: async (_ctx, args) => {
+        const d = parseDateString(String(args.values.date ?? ''));
+        return String(Math.floor(d.getTime() / 1000));
+      },
+    },
+    {
+      name: 'timestamp.unixMillis',
+      description: 'Get the timestamp in milliseconds',
+      args: [dateArg],
+      onRender: async (_ctx, args) => {
+        const d = parseDateString(String(args.values.date ?? ''));
+        return String(d.getTime());
+      },
+    },
+    {
+      name: 'timestamp.iso8601',
+      description: 'Get the date in ISO8601 format',
+      args: [dateArg],
+      onRender: async (_ctx, args) => {
+        const d = parseDateString(String(args.values.date ?? ''));
+        return d.toISOString();
+      },
+    },
+    {
+      name: 'timestamp.format',
+      description: 'Format a date using a dayjs-compatible format string',
+      args: [dateArg, formatArg],
+      onRender: async (_ctx, args) => formatDatetime(args.values),
+    },
+    {
+      name: 'timestamp.offset',
+      description: 'Get the offset of a date based on an expression',
+      args: [dateArg, expressionArg],
+      onRender: async (_ctx, args) => calculateDatetime(args.values),
+    },
+  ],
+};
+
+function applyDateOp(d: Date, sign: string, amount: number, unit: string): Date {
+  switch (unit) {
+    case 'y':
+      return sign === '-' ? subYears(d, amount) : addYears(d, amount);
+    case 'M':
+      return sign === '-' ? subMonths(d, amount) : addMonths(d, amount);
+    case 'd':
+      return sign === '-' ? subDays(d, amount) : addDays(d, amount);
+    case 'h':
+      return sign === '-' ? subHours(d, amount) : addHours(d, amount);
+    case 'm':
+      return sign === '-' ? subMinutes(d, amount) : addMinutes(d, amount);
+    case 's':
+      return sign === '-' ? subSeconds(d, amount) : addSeconds(d, amount);
+    default:
+      throw new Error(`Invalid data calculation unit: ${unit}`);
+  }
+}
+
+function parseOp(op: string): { sign: string; amount: number; unit: string } | null {
+  const match = op.match(/^([+-]?)(\d+)([yMdhms])$/);
+  if (!match) {
+    throw new Error(`Invalid date expression: ${op}`);
+  }
+  const [, sign, amount, unit] = match;
+  if (!unit) return null;
+  return { sign: sign ?? '+', amount: Number(amount ?? 0), unit };
+}
+
+function parseDateString(date: string): Date {
+  if (!date.trim()) {
+    return new Date();
+  }
+
+  const isoDate = parseISO(date);
+  if (isValid(isoDate)) {
+    return isoDate;
+  }
+
+  const jsDate = /^\d+(\.\d+)?$/.test(date) ? new Date(Number(date)) : new Date(date);
+  if (isValid(jsDate)) {
+    return jsDate;
+  }
+
+  throw new Error(`Invalid date: ${date}`);
+}
+
+export function calculateDatetime(args: { date?: string; expression?: string }): string {
+  const { date, expression } = args;
+  let jsDate = parseDateString(date ?? '');
+
+  if (expression) {
+    const ops = String(expression)
+      .split(' ')
+      .map((s) => s.trim())
+      .filter(Boolean);
+    for (const op of ops) {
+      const parsed = parseOp(op);
+      if (parsed) {
+        jsDate = applyDateOp(jsDate, parsed.sign, parsed.amount, parsed.unit);
+      }
+    }
+  }
+
+  return jsDate.toISOString();
+}
+
+export function formatDatetime(args: {
+  date?: string;
+  format?: string;
+  in?: ContextFn<Date>;
+}): string {
+  const { date, format } = args;
+  const d = parseDateString(date ?? '');
+  return formatDate(d, String(format || 'yyyy-MM-dd HH:mm:ss'), { in: args.in });
+}
--- a/plugins/template-function-timestamp/tests/formatDatetime.test.ts
+++ b/plugins/template-function-timestamp/tests/formatDatetime.test.ts
@@ -0,0 +1,72 @@
+import { describe, expect, it } from 'vitest';
+import { calculateDatetime, formatDatetime } from '../src';
+import { tz } from "@date-fns/tz";
+
+describe('formatDatetime', () => {
+  it('returns formatted current date', () => {
+    const result = formatDatetime({});
+    expect(result).toMatch(/\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}/);
+  });
+
+  it('returns formatted specific date', () => {
+    const result = formatDatetime({ date: '2025-07-13T12:34:56' });
+    expect(result).toBe('2025-07-13 12:34:56');
+  });
+
+  it('returns formatted specific timestamp', () => {
+    const result = formatDatetime({ date: '1752435296000', in: tz('America/Vancouver') });
+    expect(result).toBe('2025-07-13 12:34:56');
+  });
+
+  it('returns formatted specific timestamp with decimals', () => {
+    const result = formatDatetime({ date: '1752435296000.19', in: tz('America/Vancouver') });
+    expect(result).toBe('2025-07-13 12:34:56');
+  });
+
+  it('returns formatted date with custom output', () => {
+    const result = formatDatetime({ date: '2025-07-13T12:34:56', format: 'dd/MM/yyyy' });
+    expect(result).toBe('13/07/2025');
+  });
+
+  it('handles invalid date gracefully', () => {
+    expect(() => formatDatetime({ date: 'invalid-date' })).toThrow('Invalid date: invalid-date');
+  });
+});
+
+describe('calculateDatetime', () => {
+  it('returns ISO string for current date', () => {
+    const result = calculateDatetime({});
+    expect(result).toMatch(/\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}/);
+  });
+
+  it('returns ISO string for specific date', () => {
+    const result = calculateDatetime({ date: '2025-07-13T12:34:56Z' });
+    expect(result).toBe('2025-07-13T12:34:56.000Z');
+  });
+
+  it('applies calc operations', () => {
+    const result = calculateDatetime({ date: '2025-07-13T12:00:00Z', expression: '+1d 2h' });
+    expect(result).toBe('2025-07-14T14:00:00.000Z');
+  });
+
+  it('applies negative calc operations', () => {
+    const result = calculateDatetime({ date: '2025-07-13T12:00:00Z', expression: '-1d -2h 1m' });
+    expect(result).toBe('2025-07-12T10:01:00.000Z');
+  });
+
+  it('throws error for invalid unit', () => {
+    expect(() => calculateDatetime({ date: '2025-07-13T12:00:00Z', expression: '+1x' })).toThrow(
+      'Invalid date expression: +1x',
+    );
+  });
+  it('throws error for invalid unit weird', () => {
+    expect(() => calculateDatetime({ date: '2025-07-13T12:00:00Z', expression: '+1&#^%' })).toThrow(
+      'Invalid date expression: +1&#^%',
+    );
+  });
+  it('throws error for bad expression', () => {
+    expect(() =>
+      calculateDatetime({ date: '2025-07-13T12:00:00Z', expression: 'bad expr' }),
+    ).toThrow('Invalid date expression: bad');
+  });
+});
--- a/plugins/template-function-timestamp/tsconfig.json
+++ b/plugins/template-function-timestamp/tsconfig.json
@@ -0,0 +1,3 @@
+{
+  "extends": "../../tsconfig.json"
+}
--- a/plugins/template-function-uuid/package.json
+++ b/plugins/template-function-uuid/package.json
@@ -7,7 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "uuid": "^11.1.0"
--- a/plugins/template-function-xml/package.json
+++ b/plugins/template-function-xml/package.json
@@ -7,7 +7,7 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  },
  "dependencies": {
    "@xmldom/xmldom": "^0.9.8",
--- a/plugins/themes-yaak/package.json
+++ b/plugins/themes-yaak/package.json
@@ -7,6 +7,6 @@
  "scripts": {
    "build": "yaakcli build",
    "dev": "yaakcli dev",
-    "lint": "eslint . --ext .ts,.tsx"
+    "lint":"tsc --noEmit && eslint . --ext .ts,.tsx"
  }
 }
--- a/plugins/themes-yaak/src/index.ts
+++ b/plugins/themes-yaak/src/index.ts
@@ -2,6 +2,49 @@ import type { PluginDefinition } from '@yaakapp/api';

 export const plugin: PluginDefinition = {
  themes: [
+    {
+      id: 'high-contrast',
+      label: 'High Contrast Light',
+      dark: false,
+      base: {
+        surface: 'white',
+        surfaceHighlight: 'hsl(218,24%,93%)',
+        text: 'black',
+        textSubtle: 'hsl(217,24%,40%)',
+        textSubtlest: 'hsl(217,24%,40%)',
+        border: 'hsl(217,22%,50%)',
+        borderSubtle: 'hsl(217,22%,60%)',
+        primary: 'hsl(267,67%,47%)',
+        secondary: 'hsl(218,18%,53%)',
+        info: 'hsl(206,100%,36%)',
+        success: 'hsl(155,100%,26%)',
+        notice: 'hsl(45,100%,31%)',
+        warning: 'hsl(30,99%,34%)',
+        danger: 'hsl(334,100%,35%)',
+      },
+    },
+    {
+      id: 'high-contrast-dark',
+      label: 'High Contrast Dark',
+      dark: true,
+      base: {
+        surface: 'hsl(0,0%,0%)',
+        surfaceHighlight: 'hsl(0,0%,20%)',
+        text: 'hsl(0,0%,100%)',
+        textSubtle: 'hsl(0,0%,90%)',
+        textSubtlest: 'hsl(0,0%,80%)',
+        selection: 'hsl(276,100%,30%)',
+        surfaceActive: 'hsl(276,100%,30%)',
+        border: 'hsl(0,0%,60%)',
+        primary: 'hsl(266,100%,85%)',
+        secondary: 'hsl(242,20%,72%)',
+        info: 'hsl(208,100%,83%)',
+        success: 'hsl(150,100%,63%)',
+        notice: 'hsl(49,100%,77%)',
+        warning: 'hsl(28,100%,73%)',
+        danger: 'hsl(343,100%,79%)',
+      },
+    },
    {
      id: 'catppuccin-frappe',
      label: 'Catppuccin Frappé',
@@ -595,5 +638,112 @@ export const plugin: PluginDefinition = {
        danger: 'hsl(343,81%,75%)',
      },
    },
+    {
+      id: 'rose-pine',
+      label: 'Rosé Pine',
+      dark: true,
+      base: {
+        surface: 'hsl(249,22%,12%)',
+        text: 'hsl(245,50%,91%)',
+        textSubtle: 'hsl(248,15%,61%)',
+        textSubtlest: 'hsl(249,12%,47%)',
+        primary: 'hsl(267,57%,78%)',
+        secondary: 'hsl(249,12%,47%)',
+        info: 'hsl(199,49%,60%)',
+        success: 'hsl(180,43%,73%)',
+        notice: 'hsl(35,88%,72%)',
+        warning: 'hsl(1,74%,79%)',
+        danger: 'hsl(343,76%,68%)',
+      },
+      components: {
+        responsePane: {
+          surface: 'hsl(247,23%,15%)',
+        },
+        sidebar: {
+          surface: 'hsl(247,23%,15%)',
+        },
+        menu: {
+          surface: 'hsl(248,21%,26%)',
+          textSubtle: 'hsl(248,15%,66%)',
+          textSubtlest: 'hsl(249,12%,52%)',
+          border: 'hsl(248,21%,35%)',
+          borderSubtle: 'hsl(248,21%,33%)',
+        },
+      },
+    },
+    {
+      id: 'rose-pine-moon',
+      label: 'Rosé Pine Moon',
+      dark: true,
+      base: {
+        surface: 'hsl(246,24%,17%)',
+        text: 'hsl(245,50%,91%)',
+        textSubtle: 'hsl(248,15%,61%)',
+        textSubtlest: 'hsl(249,12%,47%)',
+        primary: 'hsl(267,57%,78%)',
+        secondary: 'hsl(248,15%,61%)',
+        info: 'hsl(197,48%,60%)',
+        success: 'hsl(197,48%,60%)',
+        notice: 'hsl(35,88%,72%)',
+        warning: 'hsl(2,66%,75%)',
+        danger: 'hsl(343,76%,68%)',
+      },
+      components: {
+        responsePane: {
+          surface: 'hsl(247,24%,20%)',
+        },
+        sidebar: {
+          surface: 'hsl(247,24%,20%)',
+        },
+        menu: {
+          surface: 'hsl(248,21%,26%)',
+          textSubtle: 'hsl(248,15%,61%)',
+          textSubtlest: 'hsl(249,12%,55%)',
+          border: 'hsl(248,21%,35%)',
+          borderSubtle: 'hsl(248,21%,31%)',
+        },
+      },
+    },
+    {
+      id: 'rose-pine-dawn',
+      label: 'Rosé Pine Dawn',
+      dark: false,
+      base: {
+        surface: 'hsl(32,57%,95%)',
+        border: 'hsl(10,9%,86%)',
+        surfaceHighlight: 'hsl(25,35%,93%)',
+        text: 'hsl(248,19%,40%)',
+        textSubtle: 'hsl(248,12%,52%)',
+        textSubtlest: 'hsl(257,9%,61%)',
+        primary: 'hsl(271,27%,56%)',
+        secondary: 'hsl(249,12%,47%)',
+        info: 'hsl(197,52%,36%)',
+        success: 'hsl(188,31%,45%)',
+        notice: 'hsl(34,64%,49%)',
+        warning: 'hsl(2,47%,64%)',
+        danger: 'hsl(343,35%,55%)',
+      },
+      components: {
+        responsePane: {
+          border: 'hsl(20,12%,90%)',
+        },
+        sidebar: {
+          border: 'hsl(20,12%,90%)',
+        },
+        appHeader: {
+          border: 'hsl(20,12%,90%)',
+        },
+        input: {
+          border: 'hsl(10,9%,86%)',
+        },
+        dialog: {
+          border: 'hsl(20,12%,90%)',
+        },
+        menu: {
+          surface: 'hsl(28,40%,92%)',
+          border: 'hsl(10,9%,86%)',
+        },
+      },
+    },
  ],
 };
--- a/src-tauri/Cargo.lock
+++ b/src-tauri/Cargo.lock
--- a/Show More
+++ b/Show More