Day 13 : postman challenge - Newman query


I could completely execute my Day 13 challenge using postman Web. All test cases passed. But I am unable to run the same using newman.

The command I used to invoke the collection is as follows
newman run --environment

Out of the two folders under Day 13 collection, ‘Newman’ folder completed successfully but ‘submit’ api is throwing
[401 Unauthorized, 575B, 262ms].

I could make it work if I set initial value of my x-api-key instead of only current value. As per the document it is not safe to add my API key value to initial value.

Could you please help?


Open in a Postman tab.

Do you see your credentials there? If not, make sure your INITIAL VALUE is the same as your CURRENT VALUE.

vdespa, As I understand it you are absolutely not supposed to persist your API key like that (just like te OP says.)

Since the 30 Days Challenge collections are public, persisting something (i.e. putting it as INITIAL VALUE makes it publicly available.) And the API key is a private credential. No?

Thanks for the replies.

Vdespa, if I expose my API key will that not become a security issue?

Can we have a more secure option?

You can use flags to specify a JSON file to use for variables in when running your newman command. It’s -e <path> for enviroment variables and -g <path> for globals. I found this out by looking at the help with newman run -h.

So if you use -g the command would be
newman run "Day 13- Newman.postman_collection.json" -g <path-to-file>

What to put in the file? You can export the variables from Postman to a file. But if the key is not persisted the variable value will just be an empty string. But you can figure out the structure from that file. I found the simplest file to be

    "values": [
            "key": "<key name here>",
            "value": "<value here>",
            "enabled": true

If you are not sharing your workspace or environment, you are no exposing your API key.

But as @devies-daniel correctly said, if your workspace is public, this is not a good approach. In my original reply, I was trying to explain why it does not work as it is.

A more secure option would be to inject these values directly to newman, using --env-var

--env-var "<environment-variable-name>=<environment-variable-value>"

Will these Newman commands still work if the collection is not public?

Yes @pamela-gilmour, they will work since you provide an API key, which authenticates you with the Postman API.