New Authorization Changes Causing Error

My POST calls have been working everyday for the past several months. But, I just noticed the Authorization screen is different. There is a Sync icon.
My token only last for 2 hours. So, I have to “Get New Access Token” everyday. I went into the Authorization screen today and found it to be different with that Sync Token option.
Anyways, now my POST is returning an “error”: “Unauthorized” message.
Is there a YouTube video or instruction on how to use the new Authorization?
I am using OAuth2.0 and Grant Type Password Credentials. I am able to Get New Access Token. But, I cannot seem to use the Available Token … even though I see it available on the dropdown list. It doesn’t fill in the Access Token field.
Any help would be greatly appreciated.
Thank you.

I’ve got the same issue since the update. I can get a token when using “Get New Access Token” but it isn’t used by the actual request. Removing or replacing the “filled” token in the Authorization tab doesn’t seem to do anything either.

It would be great if you could add some screenshots to better understand the problem.

Hello vdespa, Thank you for looking into this.

New section after update is boxed in green. There is a Sync Token icon that is greyed out.

Get New Access Token still works as it had before the update.

After selecting Use Token, nothing gets carried over to the Access Token field. Even manually selecting from the dropdown of Available Tokens, nothing gets filled in the Access Token field.

I hope this provide a visual of what I am struggling with.

Thank you.

Hi Rtam,

Please share the response and paste it here

You can capture the updated Access_Token request from the response and save it in variable. Replace the with token with variable name where you passed the token, it will resolve problem

Add that with your headers like Bearer {{Variable_TOKEN}}

var jsonData = JSON.parse(responseBody);
postman.setEnvironmentVariable("Variable_TOKEN", jsonData.access_token);

Hello gpub1,

Thank you for your suggestions. And, sorry for the delayed testing and response. I had to de-stress myself by breathing into a brown paper bag.
It took me a whopping 3 months to get this whole thing working. And, now with this recent change, I am stressed that it is going to take me another 3 months to get it back working again.
I may have misunderstood your guidance or made some wrong assumptions. I still cannot get it working.
Perhaps, you may be able to spot where my mistakes are.
Thank you.

Environment Variable created for Variable_TOKEN

Header values … I think this is where I may have gone wrong

Setting the Environment variable with access_token. Another area I may have made a mistake because the console.log did not print anything. Should this code be in the Pre-request Script or in the Tests area?

This is the result after getting a New Access Token

This is the result after a POST


hi Rtam, Use Headers values in Key as
Authorization and Value as Bearer {{Variable_TOKEN}} you updated token is not saved, so that is reason showing null.

This seems to be a really not great change to the OAuth2 workflow inside Postman. It just hit my machine today and it basically makes Postman worthless for anyone working with OAuth2 protected services.

I also have found the new OAuth authentication problematic. Here are the issues I see

  • Parameters are not retained in ‘Configure New Token’ dialog
  • Selecting an ‘Available Token’ does not fill in token to show it is being used.
  • Pasting token data into ‘Access Token’ field does not always use token.

What is the method to have a new token be used across all API calls for a specific URL? Do we need to create an environment entry and manually create the Authorization header?

I have to agree that this update to the new OAuth makes Postman unusable. I cannot find a way to have an access token always used. Using the same method on different REST API calls to select the OAuth 2 token results in some API calls use the correct token, other calls using an old token, and some just forget to put the Authorization header into the request.

To use a token, I basically disable the sync token (whatever that is - there is no documentation for it or how it is used), I select 'Manage Tokens, I select token and press ‘Use token’. Even though correct token appears in token field, it is not always used. If I select the token using the ‘Available tokens’ drop-down, the token field is not filled in and it may or may not work.

UPDATED (04Nov2020): To make this work across all REST API calls, I had to do the following:

  1. Create a new OAuth token using the supplied dialog. It is usually saved in the ‘Access Token’ field.
  2. Select the entire token in that field using ‘Ctrl-A’ at which point it will ask if I want to ‘Set as variable’.
  3. I select the ‘Save as variable’ as ‘token’ in my current environment.
  4. I go to all the other saved REST API calls and change the authorization to ‘Bearer token’ and set the value of the token to {{token}}

That is a lot of work due to the broken OAuth 2 token selection dialog that cannot seem to allow me to select an available token or allow me to paste a token value into the field.

Welcome Aziz,

all flow related to OAuth2 is here

to the postman team… a suggestion… please dont play lightly with security… you should have tested and documented the sync token feature… it broke a lot of things.

can you provide some workaround… or is this something that you are looking towards.

why can’t you do that proactively , rather than asking dumb questions.

Hello gpub1,

Please pardon my lack of knowledge with Postman. As hinted that I am weak in this kind of technology…it took me close to 3 months to finally get everything working as desired. I am one of those who learn by making mistakes and stumbling/fumbling with a lot of trial and error. Believe me, A LOT of trial&error and mistakes. But, I am not seeing any light at the end of the tunnel and I am starting to lose hope with Postman. Perhaps, I am not understanding your valued instructions and I am creating variables with incorrect names and/or in the wrong location.
I have attached some more screen shots of what I thought you are asking me to do. Again, I may have misinterpreted your guidance.

The Environment I am working in, is PNPFX. I have created the environment variable “Variable_TOKEN” in that environment.

The Collection that I am working in, is PN_to_ION_PRD. The command requiring the Access Token is the POST command. Within the Authorization Tab, I still cannot manually assign the Access Token and save its value … even attempted to manually paste the value into the field does not save it.

Within the Headers Tab, I created a new Key labeled “Authorization” with the value of {{Variable_TOKEN}}

Now, what’s odd is that an access_token was automatically added to both of my GET commands within the same Collection. Those GET commands are calling a different endpoint and they do not require any access token.

The other odd thing is that I did not make any changes to my other Collection, PM_to_Infor. Yet, it has the correct Access Token which I actually need for the Collection PN_to_ION_PRD instead.

What am I doing wrong?
Any further guidance would be greatly appreciated.

Thank you.

Okay, finally got it working. But, it isn’t as streamlined as it was prior to the recent update. Still cannot manage to have the [Access Token] field to save automatically as it had before. The coding of …pm.environment.set(“Variable_TOKEN”, jsonData.access_token)… in the Tests tab didn’t help because clicking the “Get New Access Token” and “Use Token” buttons does not seem to impact responseBody in this POST request. Perhaps, having coding in the Pre-request Script to sendRequest() in retrieving the token may solve the problem. But, I don’t know how to write coding in the Pre-request Script tab to request for New Tokens.

So, I manually cut&pasted the Newly retrieved Token into the Variable_TOKEN variable for my Environment PNPFX.

Within the Headers Tab, I created a Key labeled Authorization. This time I made sure the Value has Bearer {{Variable_TOKEN}}. Last time, I left out the word Bearer during my flip-flopping of trial&error.

After that, I was able to POST with success.

Thank you! @RTam87 That is very detailed and you’ve performed the right steps here.

Unfortunately, this is a known issue in the latest version and our team is currently working towards fixing the same. Below is the GitHub thread where we are tracking the issue - you can subscribe to the tracker to receive notifications when the team posts any updates on this. Thanks!

@RTam87 Glad to know you are finally able to proceed :slight_smile: Good luck and ofcourse you can use pre-script to generate the token . That will automate your collections. Great work

Thank you for the github link, subramanya.raj. Going to that site is like a whole new underground world. Participants seems to be speaking a secret cryptic red-hat code/language. Too complex for me but it was very interesting.

Thank you gpub1 … without your guidance, I wouldn’t have been able to continue with my POSTing to our vendor site.