Adding Custom Header to Authorization Request

I’m working with an API that requires a custom header in all requests. This also includes the authorization requests for the OAuth2 flow.

I’ve read the Postman docs that say to add custom headers using the Pre-request Script tab like

pm.request.headers.add({key: 'X-Custom-User-Agent', value: 'MyValue'})

And this does get added to any “normal” requests made in the collection-- but it is not added to the auth requests when using the Authorization tab of the collection, and this causes the request to fail. I’ve verified in the console that the failure is happening due to the missing header, and I can also see in the request headers being sent by Postman that the custom user agent header is not getting added to the Auth requests:

Request Headers
Content-Type: application/x-www-form-urlencoded
Authorization: Basic YmdzdjVld2Z4MW1uMzN1N3NlNDVlNHVlZjpiN3J1MnQ4NjAyZjNyejd5bGlTl6azI3
User-Agent: PostmanRuntime/7.26.10
Accept: */*
Cache-Control: no-cache
Postman-Token: cfe668cf-deeb-4d35-8175-366957e5c0ef
Host: service-endpoint.com
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Content-Length: 172
// no custom header here

Is there any way to add a header into the auth flow?

Hi @crmlstim, welcome to the community.

One way to have custom headers in auhorization req, is to have a separate request created for authorization and saving the response token in some environment or collection variable using test scripts. That saved token can be used across other requests. But in this case you may need to handle expiry of token, that is if token expired then you may need to generate a new token.

But in that case I won’t be able to have Postman intercept the token exchange, right? I’d need to basically do the OAuth flow manually (and set the API to use a different localhost callback) etc.?

This would be a very useful feature and I think its unexpected behavior that this doesn’t already include the header. My expectation is if i set a global header in the pre-request script it should run for any request including the authentication requests.

It could be nice as well to just provide an option in the authentication workflow screens to add custom headers similar to how its done when building normal requests.