Encrypted Text, Sharable Environments, and Nested Functions

It’s now possible to securely share variables and other sensitive fields via Directory / Git Sync!

Whether collaborating with a team or simply backing up your workspaces, you can REST 😉 easy knowing your secrets are safe. There are a few different features that make this possible, so let’s dig into them one by one.

🔐 Encrypted text and variables

Encryption is the main element behind sharing secrets. Without it, you’d be exposing your secrets to the world as plain-text. 🙈

The new secure(...) Template Function can be used to encrypt any portion of text within Yaak—anywhere environment variables are supported.

Encryption must be enabled for each workspace, which will generate and store an encryption key using your host OS’s keychain. Back this key up and share it with your team, as it will be necessary to access secure values on other devices.

Workspace encryption keys are encrypted using a master key stored in your OS’s keyring before being saved to Yaak’s local database.

Closes Secrets Encryption

✍🏼 Secure inputs

To avoid remembering to use the secure(...) function, Yaak will use a secure input when it guesses that a value may contain sensitive text.

Fields like passwords or bearer tokens are obviously sensitive, but Yaak will also try to guess headers and other fields (eg. a header named X-Token).

🔄 Sharable environments

Environments were previously excluded from directory sync to prevent accidentally exposing sensitive values to Git or other tools. With the new encryption feature, environments can now be marked as “sharable” which will cause them to be included in data exports and directory sync.

When encryption is enabled, any variable added will automatically be encrypted, and Yaak will provide a stern warning if a public environment happens to contain unencrypted values.

Closes Environments in directory sync

🪆 Nested template functions

Secure values needed to be usable within template function arguments, so I made it happen. Yaak now also supports nested template functions and variables!

It’s now possible to chain functions to do useful things like get the hash of a password.

Fixes and Improvements

2025.2.3

• Stale variables when switching environments

2025.2.2

• Activate the request after importing a Curl command
• Format as JSON when application/javascript return JSON

2025.2.1

• Support audience OAuth 2 field
• Sidebar scrollbar not clickable
• Pasting auth results in invisible text
• Editing the URL sometimes crashes the app on Linux
• Missing content-length header sometimes
• Url input selects text on window focus
• Disable proxy without losing configuration
• Insomnia v5 import format
• Send metadata/auth during gRPC reflection
• Copy body only works on first click
• Duplicate environment
• Missing scrollbar on request list
• Command palette not displaying all requests
• Elapsed time not stopping on failure
• Not rendering text response
• Realtime display of response timer
• Using Chinese characters in request parameters can result in errors
• Secrets Encryption
• Handle variables in gRPC reflection
• Cannot rename websocket request
• Always show gRPC introspection menu
• Base64-encode arguments to template functions
• Git commit not respecting repo config
• Scrollbar not visible in HTTP response pane
• Some keyboard shortcuts are hidden
• Search matches are low contrast
• Issue with HTML response detection
• Ignore whitespace in response type detection
• Websocket close message doesn’t close client side (#175
• Allow underscore-prefixed variable names
• Token not refreshed using oauth2
• Self-referencing variable crashes the app
• Font issues on Linux (#178
• Selected element turns font bold
• Crash when parsing gRPC schema (#194 by @hxzhao527)
• More reliable template grammar
• Crash when parsing gRPC schema (#194 by @hxzhao527)
• OAuth implicit flow closes window (#8 by @Blond11516)
• Don’t mark environments as external in Git
• Allow disabling window decorations (#176 by @AlphaNecron)
• Unescape unicode in response viewer (#203 by @WalysonGO)
• Don’t send trailing ? for websocket requests with no query params
• Fix padding in authentication tab
• Add ReactJS error boundaries to prevent crashing the entire UI
• Use regular JSON text viewer for gRPC messages
• Fix scrolling in environment editor
• Use the correct variable resolution within the environment editor by making an environment “sharable” via the right-click menu of the environment edit dialog.
• Fix FOREIGN KEY constraint failed during some sync and import operations
• Only prompt for keychain password once
• More flexible match for SSE content-type
• Allow disabling window controls on Windows/Linux (#176 by @AlphaNecron)
• Fix window header with larger font sizes (#182 by @jzhangdev)
• Decode unicode literals in response viewer (#203 by @WalysonGO)
• Fix GraphQL introspection infinite loop
• Improved path parameters highlighting grammar
• Do not vendor libdbus for accessing Linux secret-service
• Fix labels in gRPC method selection (#188 by @null-dev)
• Properly refresh Git info after init
• Nested template functions (eg. hash.sha256(fs.readFile(...)))
• Multi-line environment variables and query/form values
• Move editor search UI from bottom to top
• Fix auto-closing editor brackets by @hxzhao527) by @OHermesJunior)
• Fail render on missing variables
• Fix protobuf include path for gRPC (#179 by @null-dev)
• Fix plugin manager listening address (#177 by @hxzhao527)
• Add ability to deactivate license