Encrypted Text, Sharable Environments, and Nested Functions

📦 2025.2.1

Support audience OAuth 2 field
Sidebar scrollbar not clickable
Pasting auth results in invisible text
Editing the URL sometimes crashes the app on Linux
Missing content-length header sometimes
Url input selects text on window focus
Disable proxy without losing configuration
Insomnia v5 import format
Send metadata/auth during gRPC reflection
Copy body only works on first click
Duplicate environment
Missing scrollbar on request list
Command palette not displaying all requests
Elapsed time not stopping on failure
Not rendering text response
Realtime display of response timer
Using Chinese characters in request parameters can result in errors

📦 2025.2.2

Activate the request after importing a Curl command
Format as JSON when application/javascript return JSON

📦 2025.2.3

Stale variables when switching environments

It’s now possible to securely share variables and other sensitive fields via Directory / Git Sync!

Whether collaborating with a team or simply backing up your workspaces, you can REST 😉 easy knowing your secrets are safe. There are a few different features that make this possible, so let’s dig into them one by one.

🔐 Encrypted text and variables

Encryption is the main element behind sharing secrets. Without it, you’d be exposing your secrets to the world as plain-text. 🙈

The new secure(...) Template Function can be used to encrypt any portion of text within Yaak—anywhere environment variables are supported.

Encryption must be enabled for each workspace, which will generate and store an encryption key using your host OS’s keychain. Back this key up and share it with your team, as it will be necessary to access secure values on other devices.

✍🏼 Secure inputs

To avoid remembering to use the secure(...) function, Yaak will use a secure input when it guesses that a value may contain sensitive text.

Fields like passwords or bearer tokens are obviously sensitive, but Yaak will also try to guess headers and other fields (eg. a header named X-Token).

Secure input field — Potentially-sensitive fields will automatically use secure inpu

🔄 Sharable environments

Environments were previously excluded from directory sync to prevent accidentally exposing sensitive values to Git or other tools. With the new encryption feature, environments can now be marked as “sharable” which will cause them to be included in data exports and directory sync.

When encryption is enabled, any variable added will automatically be encrypted, and Yaak will provide a stern warning if a public environment happens to contain unencrypted values.

Warning when a sharable environment contains unencrypted variable

🪆 Nested template functions

Secure values needed to be usable within template function arguments, so I made it happen. Yaak now also supports nested template functions and variables!

It’s now possible to chain functions to do useful things like get the hash of a password.

Other fixes and improvements

🎁 New

Secrets Encryption(feedback )
Nested template functions (eg. hash.sha256(fs.readFile(...)))
Multi-line environment variables and query/form values
Add ability to deactivate license
Allow disabling window decorations (#176(#176 )

🛠️ Fixed

Handle variables in gRPC reflection(feedback )
Cannot rename websocket request(feedback )
Always show gRPC introspection menu(feedback )
Base64-encode arguments to template functions(feedback )
Git commit not respecting repo config(feedback )
Scrollbar not visible in HTTP response pane(feedback )
Some keyboard shortcuts are hidden(feedback )
Search matches are low contrast(feedback )
Issue with HTML response detection(feedback )
Ignore whitespace in response type detection(feedback )
Websocket close message doesn’t close client side(feedback , #175 )
Allow underscore-prefixed variable names(feedback )
Token not refreshed using oauth2(feedback )
Self-referencing variable crashes the app(feedback )
Font issues on Linux(feedback , #178 )
Selected element turns font bold(feedback )
Crash when parsing gRPC schema(feedback , #194 )
More reliable template grammar(feedback )
OAuth implicit flow closes window(feedback )
Don’t mark environments as external in Git
Don’t send trailing ? for websocket requests with no query params
Fix padding in authentication tab
Add ReactJS error boundaries to prevent crashing the entire UI
Use regular JSON text viewer for gRPC messages
Fix scrolling in environment editor
Fix FOREIGN KEY constraint failed during some sync and import operations
Only prompt for keychain password once
More flexible match for SSE content-type
Fix auto-closing editor brackets
Fail render on missing variables
Fix protobuf include path for gRPC (#179(#179 )
Fix plugin manager listening address (#177(#177 )
Fix GraphQL introspection infinite loop

💄 Improved

Unescape unicode in response viewer (#203(#204 )
Fix window header with larger font sizes (#182(#182 )
Decode unicode literals in response viewer (#203(#203 )
Improved path parameters highlighting grammar
Do not vendor libdbus for accessing Linux secret-service
Fix labels in gRPC method selection (#188(#188 )
Properly refresh Git info after init
Move editor search UI from bottom to top
Use the correct variable resolution within the environment editor