Avoid storing credentials on the web

Due to my proxy setting, I had to use the Desktop Agent, which is using Postman Web to sync all the Collections and API Requests. This seems to save Environments and Credentials for API requests. How can I avoid saving/passwing Credentials on the Postman Web?

They need to be stored as current values in environments and then consumed as variables in your requests.

The current values do not get synced to the Postman Cloud, and are not included if you export as JSON files (to save them in your own code repository).

Initial values do get synced, so make sure its the current values only. This only works with environment variables (not collection or global).

Thank you, @michaelderekjones. That helps with some details, but does not address my concern that the requests still go through to the Postman servers, which can potentially receive the same credentials! Doesnโ€™t it?

The collections (and environments) are stored and synced to the Postman Cloud, but if you are using the desktop client, then the requests go direct. They are sent directly from the desktop application to the API.

Even for the web version, Postman does not log the responses.

Security and Trust FAQ | Postman

Thanks, @michaelderekjones. Some of the APIs have credentials within the Environments and the API requests itself. I presume those will be stored, along with the ability to log the API requests too.

If they are in current values in environments, they will not be stored in the Postman Cloud.

The variable name will, but the value will not.

If they are in the requests\collections and arenโ€™t referenced as environment variables (collection, global, etc), then they will get synced (so change them to environment variables).

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.

With V11 of Postman, we have introduced the Postman Vault (Store secrets in your Postman Vault | Postman Learning Center), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.