Is there a way to hide credentials in the postman interface, with something like a keyvault?
My college was working on an API for a customer, and he left his screen. I could see our customer’s credentials in clear text on his screen under the Authorization pane.
My colleague and I did some more digging and under history was all his other GET requests, with credentials in cleartext.
How do I handle his security issue?
Hi Ewa,
That’s a good question, while there isn’t a system that works exactly like a keyvault, I believe that you should be able to achieve the results your after by utilising Postman’s environment variables
That way you will be able to use a variable where you can store your API key, or any other set of credentials, so even if someone manages to see your authorization pane they will not see the value itself, but only the name of the variable.
Depending on your needs you can save that variable under different types of scopes,You can learn more about variables and the different types of scopes here:
Best Regards,
Atanas
I might look into that.
I did a clean up of all the old API request I had made, cleared my history and thought my self “clean”
Then I made a new api call, switched to basic auth for authentication and was appaled to see postman auto-filling credentials and passwords from a previous client. Where are those credentials stored? Somewhere in postman? I’m very uncomfortable with that.
This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.
