Hi,
We are using Postman for quite a sometime. Recently, we have taken certain steps to make it more secure.
We are using free account for Postman. But we retrieve our secrets from Hashicorp Vault. We don’t use initial value in environment variable and use only current value and apply masking for secrets. We don’t use shared workspace but use personal workspace.
After retriving client_secret from HashiCorp vault, in pre-request script, without storing it in environment variable, we modify request body dynamically with client_secret in the same pre-script.
But, got to know that Postman logs all requests made through its platform, including those containing sensitive information such as client IDs and credentials used to obtain API tokens.
So just wanted to know if after taking all above measures, our client credentials will be stored to Postman cloud? Thanks
Hey @ssbhagwat2001
Welcome to the Postman Community!
It sounds like you have adopted some great practices for handling your sensitive data, I would also make use of the Postman Vault, which is your locally encrypted data store. This is something that can be used in the Scripts using the pm.vault.*
syntax but that need to be explicitly enabled by the user.
Making full of the Current Value
ensures that the data stays local and is not synced.
Using scripts to store values (within a pre request), will also only store that data in the Current Value, I would recommend going in that direction rather than potential pushing those details into the body without going via a variable.
I would be mindful of using the secret
type for variables, this is only going to mask the value in the UI and will not encrypt that in anyway.
All of the information with regards to how all data is encrypted and stored, can be found here: