Manual token management
When the generated auth script doesn’t work or isn’t available, Spectral provides manual alternatives to get tokens into managed storage.
Extracting tokens from traces
Section titled “Extracting tokens from traces”The spectral auth extract command scans all captured traces for auth headers and writes them directly to token.json. It tries a fast path first (looks for Authorization headers directly), falling back to the LLM to identify other auth headers if needed.
This is the quickest way to get a working token when you already have authenticated traffic in your captures. Unlike auth analyze, it does not produce a reusable script — the extracted tokens will expire and cannot be refreshed automatically.
Manual header injection
Section titled “Manual header injection”If you already have a token from another source, inject it directly:
spectral auth set myapp -H "Authorization: Bearer eyJ..."For cookie-based authentication:
spectral auth set myapp -c "session=abc123"Multiple headers and cookies can be combined:
spectral auth set myapp -H "Authorization: Bearer eyJ..." -c "csrf=xyz"Body-based authentication
Section titled “Body-based authentication”Some APIs (Firebase-based apps, POST-based APIs) pass credentials in the request body instead of HTTP headers. Use -b / --body-param to inject key-value pairs into every authenticated request body:
spectral auth set myapp -b "userToken=eyJ..." -b "userId=abc123"Headers and body params can be combined when both are needed:
spectral auth set myapp -H "X-Api-Key: key123" -b "userToken=eyJ..."If none of --header, --cookie, or --body-param is given, the command prompts for a token interactively and stores it as Authorization: Bearer <token>.
Clearing credentials
Section titled “Clearing credentials”To remove stored credentials for an app:
spectral auth logout myappThis deletes token.json from managed storage.