Handling username/password authentication

I have a team of 8 engineers working on a site that uses standard un/pw auth, where the auth endpoint returns a token that is stored and added to headers on successive calls. We are currently just storing a username and password in the request body which is not secure in any way. We store the token in a variable using a “test”

const tokenValue = pm.response.json().data.token.access_token;
pm.environment.set("API_Token", tokenValue);

How do we replicate this functionality using the actual “authorization” methods so we can store individual usernames/passwords in an obfuscated/encrypted manner?

I also want to note that this API is driving a Vue app, hence the un/pw login.

Have you thought about using environment variables and using the “secret” variable type?

More here.

As an overview of using environments more securely, you might want to read this too.

You still need to protect your Postman files and ACL them accordingly. But this helps reduce the issue. If you need to secure them even further, consider storing the creds outside of Postman in an HSM and fetch them on the fly using an appropriate service principal that can do so. Something like Azure KeyVault or AWS KMS should work.

HTH. Good luck.

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.