I have a monitor that runs our collection. I created a separate environment for it, but the keys uses come from the “Initial Value” instead of the saved “Current value”. The initial value is visible to the world (and Postman Security email@example.com would send a warning as well.) The solution seems to be to manage access to an environment so that “Everyone” wouldn’t have access, and ideally restrict to just the Runner and the owner of the keys, but that requires Business or Enterprise plans.
I read the article Joyce wrote - How to Use API Keys in Postman but it doesn’t seem to cover my scenario; which I imagine is a common scenario for the hack with public workspaces.
For now, I’ll use Newman as my runner, since the private data only lives in my Newman instance; but I’d love to get this working publicly without having to standup a proxy that hides my key.