Thanks for checking out the video. If you want to follow along or explore the security features directly, here is a deeper dive into what we cover and how you can test it in your own workspace.
Level 1: Environment Variables
This is the foundation of working securely in Postman. If you’re hardcoding API keys directly into your requests, you’re putting your data at risk. One shared collection or screen recording can reveal credentials without anyone realizing it.
Instead, store sensitive values in environment variables like {{api_key}} or {{access_token}}. Make sure you understand how Postman handles Initial Value and Current Value. The Initial Value is shared with others in your team or workspace. The Current Value stays on your device only.
For anything sensitive, leave the Initial Value blank and store the actual key in the Current Value field. You can also mark a variable as Secret to hide it on screen during live demos or recordings.
This setup gives you a secure and flexible way to manage credentials across environments.
Level 2: Vault Variables
Vault takes things further. These variables are stored securely with end-to-end encryption and never sync to Postman servers or shared workspaces.
Use Vault for your most sensitive data, such as production credentials or personal access tokens. You can create and manage Vault variables in the Vault tab inside Postman, then use them like any other variable in your requests.
You can also configure Allowed Domains. This restricts where Vault variables can be sent. For example, you can set your GitHub token to only be used with GitHub URLs. If someone tries to use it on a different domain, Postman will block the request automatically.
If you work across multiple machines, Cloud Vault lets you sync Vault variables securely while keeping them private to you.
Level 3: Secret Scanner
Even when you have systems in place, human error still happens. That’s where Secret Scanner helps. It automatically detects exposed credentials in your collections or environments and alerts you before something goes public.
Postman scans for common patterns used in API keys and tokens across many services. If a match is found, you’ll get a warning with clear steps to remove or rotate the exposed key.
For teams on enterprise plans, there is a central dashboard where admins can monitor, investigate, and resolve issues across the entire organization. This makes it much easier to catch problems early and enforce security best practices at scale.
How to explore it yourself
- Fork the sample workspace and create environment variables. Try leaving Initial Value blank and using only Current Value.
- Set up a Vault variable and try referencing it in a request. Then test what happens if you send it to a domain that is not allowed.
- If you have team access, enable Secret Scanner and test it by intentionally placing a mock API key in a request. See how Postman flags it.
Let me know which level you’re currently using or planning to explore. Have you had any close calls with secrets getting shared? Always interested to hear how others are staying secure while building fast.