Improvements in sharing of OAuth 2.0 token and token generation details

Over the last few years, Postman has evolved to become an API Development Platform. The ability to build a request and inspect the response is one of the core features that we offer. Authentication is a fundamental part of an API and within this, OAuth 2.0 has emerged as one of the most used auth methods. We have made a few improvements to make the OAuth 2.0 experience better in a collaborative environment. In this post, we are going to elaborate on the problems we have tried to address in using OAuth 2.0 through Postman.

Easy access to OAuth token generation information:

We want to simplify working with multiple OAuth servers through Postman. You can now save the information required to generate an OAuth token with the request or collection and you won’t have to enter these details again when you’re generating a new token. This information will be sharable with the request/collection as well.

This is helpful if you have multiple requests using different OAuth servers or if you’re sharing a request with someone and they need the details to generate the token.

A word of caution: OAuth token generation information can contain sensitive data. Like other authentication methods, we encourage you to use environment variables to mask this when sharing the request or collection.

On-demand sharing of OAuth access token:

An OAuth token contains sensitive information and hence, it should be shared carefully. You can now optionally choose to share a token with the request or collection. All you have to do is sync the token. By default, we will not sync it. If you don’t sync the token, it will still be present in your local session and can be used by you in the app but it won’t be stored with the request on Postman cloud.

Another important thing to note here is that you can still generate the token and use it even if you’re not the editor of the request/collection. You will have all the information needed to generate the token, you can create a new token and use it in your local session. Since you’re the viewer of the collection, you won’t be able to sync it on the Postman cloud. This will give you better access control in using tokens.

These changes are available in the Postman Canary. Please download the latest Postman Canary app and check it out. Feel free to provide your feedback here.