If you work across multiple AWS accounts — dev, staging, prod — you know the routine. Open ~/.aws/credentials, find the right profile, copy the access key and secret key, paste them into your API client’s Signature v4 auth fields, set the region, and send. Switch to a different environment? Do it again. If you’re using SSO or assume-role, it’s worse: you’re dealing with temporary credentials that expire within the hour, which means repeating the whole dance constantly. It’s tedious, error-prone, and a genuine distraction from the actual work of testing your endpoints. You already configured these profiles once. Your CLI tools respect them. Why doesn’t your API client?

I built a feature for Hoppscotch that eliminates this friction. You can now select an AWS profile directly in Hoppscotch’s auth panel and it resolves credentials for you automatically — static keys, SSO token refresh, assume-role chains, all of it. Pick a profile, set region and service, send. No more copy-pasting keys, no more expired-credential errors mid-session.

What It Does

The AWS Signature auth section in Hoppscotch now has a credential mode toggle: Manual and Profile. Manual mode is the existing behavior — you paste in your access key, secret key, and optional session token, exactly as before. Nothing changes there.

Profile mode is the new path. When you switch to it, a dropdown populates with every AWS profile configured on your machine — every named profile from both ~/.aws/credentials and ~/.aws/config. Pick the profile you need, set your region and service, and send your request. That’s it. Behind the scenes, Hoppscotch resolves the credentials for that profile and signs the request with the correct Signature v4 headers.

graph LR
A["Select Profile"] --> B["Agent Resolves
via AWS SDK"]
B --> C["Credentials Returned
(encrypted)"]
C --> D["Request Signed
& Sent"]

This works with every credential type the AWS SDK supports: static credentials in ~/.aws/credentials, SSO sessions, assume-role chains, and credential_process commands. The resolution happens through the Hoppscotch Agent — the desktop companion app that runs alongside the web or desktop client. When the Agent connects, it reads your local AWS config files and sends back the list of available profiles. No keys are stored in Hoppscotch itself. The Agent uses the standard AWS SDK credential provider chain to resolve credentials on demand, and the profile list refreshes every time the Agent reconnects.

Credential resolution happens in the Agent rather than the Hoppscotch frontend for good reason. The AWS SDK credential chain is genuinely complex — SSO token refresh involves opening a browser and exchanging device codes, assume-role requires STS calls with chained policies, and credential_process executes arbitrary shell commands that could return credentials from a vault or hardware token. None of that belongs in a browser environment without filesystem access or the ability to spawn processes. The Agent is a Rust backend, and building credential resolution there using the aws-config crate means the full provider chain works out of the box with no reimplementation. The same code paths that the AWS CLI uses to resolve your credentials are what Hoppscotch now uses too.

Keeping Credentials Safe

Credentials never leave your machine in plaintext. The Agent resolves them locally and passes them to the Hoppscotch frontend over an AES-GCM encrypted channel. Secret access keys and session tokens are redacted from all debug logs, even with verbose logging enabled. The only thing persisted in your Hoppscotch request configuration is the profile name — no credentials are ever stored in collections or synced to the cloud.

This is a meaningful improvement over the manual workflow. Selecting a profile name from a dropdown is inherently safer than pasting long-lived access keys into form fields, especially for teams sharing request collections. A shared collection can reference a profile name like staging-admin without embedding any secrets, and each team member’s Agent resolves the credentials from their own machine.

Getting Started

What you need:
  • Hoppscotch with the Agent installed and connected
  • AWS profiles configured in ~/.aws/credentials or ~/.aws/config
  1. Open the auth panel and select AWS Signature
  2. Switch credential mode from Manual to Profile
  3. Choose your profile from the dropdown
  4. Set region and service, then send your request

The dropdown shows every profile the Agent can find in your AWS configuration files. If a profile isn’t appearing, verify it’s defined in ~/.aws/credentials or ~/.aws/config and that the Agent is connected. The profile list refreshes each time the Agent reconnects, so any changes you make to your AWS config are picked up automatically.

This feature is available now. You can find the full implementation in PR #5888 and try it out at Hoppscotch. Manual credential entry remains fully supported and unchanged — this is a purely additive feature. Existing saved requests and collections that use manual AWS auth migrate seamlessly; nothing breaks.