Auth & Credentials

Data source credentials are stored encrypted using AES-256-GCM. They are decrypted at runtime and injected into the script — scripts never see raw secrets.

Auth types

None

No authentication. Use for public APIs or APIs on internal networks.

Basic Auth

Username and password. ApiMeld constructs the Authorization: Basic base64(user:pass) header automatically.

Custom Header

A single custom HTTP header with a name and value. Use for API key authentication:

Header name: X-API-Key
Header value: your-api-key-here

Or for Bearer tokens:

Header name: Authorization
Header value: Bearer your-token-here

Injected variable

The auth header(s) are injected into the script as:

PowerShell: $AuthHeaders (hashtable — pass directly to -Headers)
JavaScript/TypeScript: authHeaders (object — spread into fetch headers)
Python: AUTH_HEADERS env var (JSON string — parse with json.loads)
Bash: AUTH_HEADERS_JSON env var (JSON string — parse with jq)

powershell

# PowerShell — auth headers passed directly
Invoke-RestMethod -Uri $url -Headers $AuthHeaders

javascript

// JavaScript — spread into fetch
const res = await fetch(url, { headers: { ...authHeaders, 'Content-Type': 'application/json' } })

Rotating credentials

Update the credential on the data source — all tasks using it will pick up the new value on their next run. No task edits required.

When sharing a data source with another user, you can choose whether to include credentials. Without credentials, the recipient can use the data source in scripts (ApiMeld injects the credentials at runtime) but cannot view or export them.

Auth & Credentials ​

Auth types ​

None ​

Basic Auth ​

Custom Header ​

Injected variable ​

Rotating credentials ​

Sharing without credentials ​