We're excited to announce the release of Hoppscotch v2026.4.0! This update brings collection-level pre-request and test scripts, SMTP OAuth2 authentication for self-hosted instances, a new desktop app settings section, important security patches, and a range of quality-of-life improvements.

Collection-level Pre-request and Test Scripts

You can now attach pre-request and test scripts directly to a collection. These scripts run automatically before and after every request inside that collection — no more copy-pasting auth setup or assertion logic across dozens of individual requests.

This is especially powerful for collections that share a common authentication flow. Set up your token fetch once at the collection level and every request in the collection inherits it automatically.

Get the latest version →

API Documentation UX Improvements

The API documentation experience has been refined with a cleaner layout, improved interaction patterns, and a fix for environment validation when publishing docs. Navigating and publishing your API documentation is now smoother from start to finish.

SMTP OAuth2 Authentication (Self-Hosted)

Self-hosted instances can now authenticate with SMTP servers using OAuth2. This means you can use modern mail providers like Gmail or Microsoft 365 without falling back to basic username and password authentication, keeping your email delivery both secure and compliant.

Desktop Settings

The desktop app now has a dedicated settings foundation. This first phase introduces manual update checks and the option to disable automatic update checks at startup — giving you full control over when and how updates are applied, particularly useful in managed or air-gapped environments.

Security Patches

Security was a significant focus in this release. We've updated our security threat model and policy, and shipped the following patches:

• Patched CVE-2026-31812 by bumping quinn-proto to 0.11.14.
• Applied follow-up hardening across the platform as part of a continued security audit.
• Fixed authorization code flow failing with Google OAuth.

Self-Hosted Improvements

This release brings several improvements for self-hosted editions:

• Redis is now supported as the storage backend for rate limiting, enabling more scalable and distributed deployments.
• OAuth2 state management has been made stateless, including stateless OAuth for SAML and OIDC flows — improving reliability in multi-instance setups.
• The platform default proxy URL is now applied on load and reset, so proxy configuration is always consistent.
• OTEL field updates are now skipped when observability is disabled, reducing unnecessary configuration noise.
• The login divider is now shown conditionally, keeping the login screen clean based on your configured auth providers.
• You can now set the domain URL as the mock server environment variable, and customize web server timeouts to suit your infrastructure.

Bug Fixes

We've also fixed a number of bugs across the app:

• Fixed environment tooltip overflow on hover.
• Fixed org auth timeout and state leak on the desktop app.
• Fixed environment validation when publishing API docs.

What do you want us to build next? Write to us at hello@hoppscotch.io, join the conversation on our Discord server, or head over to our GitHub repository.