Yaak Logo
Yaak

Encrypted Text, Sharable Environments, and Nested Functions

2025.2.0
πŸ“¦ 2025.2.3
  • Stale variables when switching environments
πŸ“¦ 2025.2.2
  • Activate the request after importing a Curl command
  • Format as JSON when application/javascript return JSON
πŸ“¦ 2025.2.1
  • Support audience OAuth 2 field
  • Sidebar scrollbar not clickable
  • Pasting auth results in invisible text
  • Editing the URL sometimes crashes the app on Linux
  • Missing content-length header sometimes
  • Url input selects text on window focus
  • Disable proxy without losing configuration
  • Insomnia v5 import format
  • Send metadata/auth during gRPC reflection
  • Copy body only works on first click
  • Duplicate environment
  • Missing scrollbar on request list
  • Command palette not displaying all requests
  • Elapsed time not stopping on failure
  • Not rendering text response
  • Realtime display of response timer
  • Using Chinese characters in request parameters can result in errors

It’s now possible to securely share variables and other sensitive fields via Directory / Git Sync!

Whether collaborating with a team or simply backing up your workspaces, you can REST πŸ˜‰ easy knowing your secrets are safe. There are a few different features that make this possible, so let’s dig into them one by one.

πŸ” Encrypted text and variables

Encryption is the main element behind sharing secrets. Without it, you’d be exposing your secrets to the world as plain-text. πŸ™ˆ

The new secure(...) Template Function can be used to encrypt any portion of text within Yaak—anywhere environment variables are supported.

Secure template function

Using the secure(...) function within a header value

Encryption must be enabled for each workspace, which will generate and store an encryption key using your host OS’s keychain. Back this key up and share it with your team, as it will be necessary to access secure values on other devices.

See also: feedback

✍🏼 Secure inputs

To avoid remembering to use the secure(...) function, Yaak will use a secure input when it guesses that a value may contain sensitive text.

Fields like passwords or bearer tokens are obviously sensitive, but Yaak will also try to guess headers and other fields (eg. a header named X-Token).

Secure input field

Potentially-sensitive fields will automatically use secure inpu

πŸ”„ Sharable environments

Environments were previously excluded from directory sync to prevent accidentally exposing sensitive values to Git or other tools. With the new encryption feature, environments can now be marked as “sharable” which will cause them to be included in data exports and directory sync.

When encryption is enabled, any variable added will automatically be encrypted, and Yaak will provide a stern warning if a public environment happens to contain unencrypted values.

Warning when a sharable environment contains unencrypted variable

See also: feedback

πŸͺ† Nested template functions

Secure values needed to be usable within template function arguments, so I made it happen. Yaak now also supports nested template functions and variables!

It’s now possible to chain functions to do useful things like get the hash of a password.

Nested template function

Including a secure value within a hash functio

Other fixes and improvements

🎁 New

  • Secrets Encryption(feedback )
  • Nested template functions (eg. hash.sha256(fs.readFile(...)))
  • Multi-line environment variables and query/form values
  • Add ability to deactivate license
  • Allow disabling window decorations (#176(#176 )

πŸ› οΈ Fixed

  • Handle variables in gRPC reflection(feedback )
  • Cannot rename websocket request(feedback )
  • Always show gRPC introspection menu(feedback )
  • Base64-encode arguments to template functions(feedback )
  • Git commit not respecting repo config(feedback )
  • Scrollbar not visible in HTTP response pane(feedback )
  • Some keyboard shortcuts are hidden(feedback )
  • Search matches are low contrast(feedback )
  • Issue with HTML response detection(feedback )
  • Ignore whitespace in response type detection(feedback )
  • Websocket close message doesn’t close client side(feedback , #175 )
  • Allow underscore-prefixed variable names(feedback )
  • Token not refreshed using oauth2(feedback )
  • Self-referencing variable crashes the app(feedback )
  • Font issues on Linux(feedback , #178 )
  • Selected element turns font bold(feedback )
  • Crash when parsing gRPC schema(feedback , #194 )
  • More reliable template grammar(feedback )
  • OAuth implicit flow closes window(feedback )
  • Don’t mark environments as external in Git
  • Don’t send trailing ? for websocket requests with no query params
  • Fix padding in authentication tab
  • Add ReactJS error boundaries to prevent crashing the entire UI
  • Use regular JSON text viewer for gRPC messages
  • Fix scrolling in environment editor
  • Fix FOREIGN KEY constraint failed during some sync and import operations
  • Only prompt for keychain password once
  • More flexible match for SSE content-type
  • Fix auto-closing editor brackets
  • Fail render on missing variables
  • Fix protobuf include path for gRPC (#179(#179 )
  • Fix plugin manager listening address (#177(#177 )
  • Fix GraphQL introspection infinite loop

πŸ’„ Improved

  • Unescape unicode in response viewer (#203(#204 )
  • Fix window header with larger font sizes (#182(#182 )
  • Decode unicode literals in response viewer (#203(#203 )
  • Improved path parameters highlighting grammar
  • Do not vendor libdbus for accessing Linux secret-service
  • Fix labels in gRPC method selection (#188(#188 )
  • Properly refresh Git info after init
  • Move editor search UI from bottom to top
  • Use the correct variable resolution within the environment editor

Thanks to you

Community-purchased licenses are what power new features and fixes like this. Supporting Yaak means more updates to come, for you and your team.

Gregory SchierFounder, Yaak
Support Yaak