[GH-ISSUE #5912] [feature]: Script Access for Secret Environment Variables + Session Scope #2321

New issue

Open

opened 2026-03-16 23:56:52 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 23:56:52 +03:00

Owner

Originally created by @roopepaajanen on GitHub (Feb 27, 2026).
Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5912

Is there an existing issue for this?

I have searched the existing issues

Summary

In team environments, authentication flows are often automated using scripts:

Login requests generate access tokens
Refresh flows update tokens
Tokens are injected dynamically into headers
Expired tokens must be replaced automatically

Right now:

Secrets can be stored safely
But they cannot be programmatically updated or fetched
This forces teams to use shared environment variables for tokens
Which leads to overwriting each other’s values in collaborative workspaces

So while secret variables are secure, they are not automation-friendly.

Even though secret environment variables cannot be managed via pre-request or post-request scripts, we have noticed that if the parameter exist already in secrets, the scripts can add a value to it. If it does not exist, it will simply create it under environment variables.

Proposed Enhancement 1: Script Access to Secret Variables

Allow pre-request and post-request scripts to:

Read secret environment variables
Update secret environment variables

Example

const token = pm.secrets.get("access_token")

pm.secrets.set("access_token", newToken)

Expected Behavior

Secret values remain user-local
Only the variable name is shared in the workspace
Values are never synced or exported
Other users cannot access or override another user's secret value

This would enable fully automated authentication flows without breaking collaborative workflows.

Proposed Enhancement 2: Session Environment Scope

In addition, introducing a session-scoped environment would improve handling of temporary runtime values.

Intended Use Cases

Access tokens
CSRF tokens
Temporary IDs
One-time authentication artifacts

Key Characteristics

User-scoped
Exists only for the active session
Cleared on refresh/logout
Not persisted
Not shared

Example

pm.session.set("access_token", token)
pm.session.get("access_token")

This would provide a clean separation between:

Persistent secrets (client secrets, API keys)
Session runtime data (access tokens)

Why should this be worked on?

In real-world team usage:

Shared environments are perfect for base URLs and static config
Secret variables solve value visibility and security
But lack of script access prevents proper automation

Enabling script-level management of secrets (and optionally adding session scope) would:

Prevent users from overwriting each other’s tokens
Improve multi-user collaboration
Enable secure automated authentication flows
Make Hoppscotch significantly stronger for professional API teams

Originally created by @roopepaajanen on GitHub (Feb 27, 2026). Original GitHub issue: https://github.com/hoppscotch/hoppscotch/issues/5912 ### Is there an existing issue for this? - [x] I have searched the existing issues ### Summary In team environments, authentication flows are often automated using scripts: - Login requests generate access tokens - Refresh flows update tokens - Tokens are injected dynamically into headers - Expired tokens must be replaced automatically Right now: - Secrets can be stored safely - But they **cannot be programmatically updated or fetched** - This forces teams to use shared environment variables for tokens - Which leads to overwriting each other’s values in collaborative workspaces So while secret variables are secure, they are not automation-friendly. > Even though secret environment variables cannot be managed via pre-request or post-request scripts, we have noticed that if the parameter exist already in secrets, the scripts can add a value to it. If it does not exist, it will simply create it under environment variables. --- ## Proposed Enhancement 1: Script Access to Secret Variables Allow pre-request and post-request scripts to: - Read secret environment variables - Update secret environment variables ### Example ```js const token = pm.secrets.get("access_token") pm.secrets.set("access_token", newToken) ```` ### Expected Behavior * Secret values remain user-local * Only the variable name is shared in the workspace * Values are never synced or exported * Other users cannot access or override another user's secret value This would enable fully automated authentication flows without breaking collaborative workflows. --- ## Proposed Enhancement 2: Session Environment Scope In addition, introducing a **session-scoped environment** would improve handling of temporary runtime values. ### Intended Use Cases * Access tokens * CSRF tokens * Temporary IDs * One-time authentication artifacts ### Key Characteristics * User-scoped * Exists only for the active session * Cleared on refresh/logout * Not persisted * Not shared ### Example ```js pm.session.set("access_token", token) pm.session.get("access_token") ``` This would provide a clean separation between: * Persistent secrets (client secrets, API keys) * Session runtime data (access tokens) ### Why should this be worked on? In real-world team usage: * Shared environments are perfect for base URLs and static config * Secret variables solve value visibility and security * But lack of script access prevents proper automation Enabling script-level management of secrets (and optionally adding session scope) would: * Prevent users from overwriting each other’s tokens * Improve multi-user collaboration * Enable secure automated authentication flows * Make Hoppscotch significantly stronger for professional API teams