Home / Insomnia
Edit
Report

External vault integration

Enterprise and uses: Insomnia
Related Documentation
Insomnia Documentation
Tags
#external-vaults #secrets-management
Related Resources
Local vault storage in Insomnia
Storage options
Git sync

Insomnia supports integrating with external vault service providers to retrieve secret values automatically when sending requests.

You can configure vault integration from the Insomnia UI, in Preferences > Credentials, and in Inso CLI, using environment variables.

Insomnia supports the following vault services:

AWS Secrets Manager

  1. Navigate to Preferences > Credentials or Cloud Credentials.
  2. For Service Provider Credential List, click Add Credentials.
  3. Select AWS.
  4. Select a Credential Type and fill in the required fields.

Insomnia doesn’t support spaces in the SSO session name. If you select the SSO Credential type, make sure your SSO session name contains only supported characters:

  • Letters
  • Numbers
  • Hyphens (-)
  • Underscores (_)

GCP Secret Manager

  1. Navigate to Preferences > Credentials or Cloud Credentials.
  2. For Service Provider Credential List, click Add Credentials.
  3. Select GCP, and upload your service account key.

HashiCorp Vault

  1. Navigate to Preferences > Credentials or Cloud Credentials.
  2. For Service Provider Credential List, click Add Credentials.
  3. Select HashiCorp.
  4. Choose your environment:
    • For HashiCorp Cloud Platform, select Cloud and provide credentials using a service principal client ID and client secret.
    • For HashiCorp Vault Server, select On-Premises and choose an authentication method:
      • With AppRole, enter the server address, role ID, and secret ID.
      • With Token, enter the server address and authentication token.

Azure Key Vault

When you connect Insomnia to Azure Key Vault, Azure prompts for OAuth consent in a browser. The requested scopes define the permissions Insomnia uses to authenticate and access secrets.

Use the following required scopes:

  • openid: Support sign-in with Microsoft Entra ID.
  • profile: Provide basic account information that’s required for authentication.
  • offline_access: Allow authentication to persist without repeated sign-in.
  • user_impersonation: Grant delegated access to Azure Key Vault and allow secret retrieval using the signed-in user’s existing permissions.

Azure enforces these permissions during consent and applies Key Vault access control based on the user’s assigned roles. For more information about required scopes, go to Scopes and permissions.

To choose Azure Key Vault:

  1. In the Insomnia app, from your account settings, click Preferences.
  2. Click the Cloud Credentials tab.
  3. Click Add Credentials.
  4. Click Azure.
  5. You will be redirected to authorize Insomnia in your browser.
  6. After authorization, you’ll return to Insomnia with your Azure account credential added.

Azure Key Vault access uses delegated permissions. The Azure account that you sign in with in Insomnia, the Azure app registration, and the Azure Key Vault must belong to the same Azure organization, unless cross-organization access is explicitly configured in Azure. If these are in different organizations, Azure can deny access even when the correct scopes are granted.

Using secrets

External vault secrets can be referenced anywhere in Insomnia requests using template tags. In the field of your choice:

  1. Press Control+Space.
  2. Select the external vault to use.
  3. Fill in the details required to access the secret.

Vault secrets cache

Vault secret caching works like the following in Insomnia:

  • Secrets retrieved from cloud vault services are cached in memory for 30 minutes by default.
  • If the cache expires or is missing, Insomnia re-fetches the secret automatically.
  • You can configure cache duration and reset the cache in Preferences > Credentials.

FAQs

What happens if I clear cloud credentials when I sign out of Insomnia?

When you sign out of Insomnia, you can choose to clear all of your stored cloud credentials. This removes any saved credentials used by External Vault providers from your local Insomnia configuration.

Clearing cloud credentials doesn’t break External Vault integrations. Insomnia supports External Vault providers even when credential fields are empty. This allows you to sign out securely without losing your vault setup.

After signing back in, you might need to re-authenticate or provide credentials again, depending on how the cloud provider handles authentication.

Do empty credential configurations work across all External Vault cloud providers?

Yes. External Vault supports empty credential configurations across all supported cloud providers.

This means that your external vault integrations continue to work even when credential fields are empty. Insomnia can operate without permanently storing cloud credentials in the configuration.

Something wrong?
Report an Issue | Edit this Page
View all Kong documentation

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!
Contribute

Still need help?

Ask in our Forum
Contact Support