We just noticed that Postman will no longer allow the offline mode and forces user to login in order to save a request to a collection.
This is a catastrophic change of operation for this App. We will certainly will not get an IT Security clearance for syncing any of the companies details to Postman (and tbh we do not want to). There are critical details in the Requests, Examples, Tests and Environment, which just cannot leave the company.
There must be hundreds of users using Postman in our group and if they follow the compliance guidelines, they will very soon have to stop using Postman.
We will now start evaluating other tools as a substitution. If the community has any recommendations, feel free to comment on that.
For now we stick to an older version…
Hey there @hbertsch,
We’re sunsetting the scratchpad and replacing it with a new lightweight API Client that still allows to send requests and keep a history: Announcing the New Lightweight Postman API Client | Postman Blog
You can check out our Trust Center to learn more about how Postman makes sure your data is securely saved and synced: Trust Center | Postman
FWIW we already have companies from the banking or government sectors trusting us (cf Case Studies).
It seems like both you and the documentation intentionally obfuscate your answers to this question.
That blog post says:
All of your work in the lightweight API Client is stored locally and isn’t synced online with Postman. After you sign in to Postman, you can move your open requests and request history into a workspace where you can collaborate with others.
You and I both know that a lot of people don’t and never will want to sign into Postman. We deal with private data and we don’t want to introduce the security concerns with unnecessarily allowing another third-party to see that data. Furthermore, I can only speak for myself, but @henningbertsch seems to agree – there is simply no reason to do this, not even one of convenience. I only ever develop on one machine. I don’t need to sync anything.
Why does the documentation not seem to clearly address this?
Entirely agree, i’m now faced with a migration headache. Pick another tool or just bit the bullet move everything to CURL/scripts. I can’t imagine any serious IT/compliance department considering allowing this. This isn’t a cost thing, it simply cannot be accommodated.
By design I don’t want to share any of my postman collections/environments. Postman a great tool stand alone. is there not a business case just to charge for that?
I am honestly a little astonished that this thread did not gain more attention.
Our genuine concern stems from the potential exposure of highly confidential business logic, especially evident in pre- and post-request scripts when using cloud platforms. These scripts are of a sensitive nature and, as per our protocols, must remain confined to our company or certified subcontractors who have undergone stringent checks for security and compliance.
Further deepening our reservations is our understanding that every request made via Postman routes through your servers. This implies that Postman might have the capability to access and potentially view the data, some of which is critically sensitive.
Lastly, while there exists a some other tools like Thunder Client, Insomnia, and SOAP UI, none match the prowess of Postman in terms of features and user experience. It presents a daunting task for us to contemplate migrating from Postman to any other tool, considering the advanced integration we already have in place.
It is our sincere hope that these concerns resonate with you, especially in the realms of regulations, compliance, and confidentiality, when envisioning a cloud-based product tailored for large-scale enterprises.
I cannot agree more , the end of life of scratchpad beein in 10 days now , there is no super clear communication since the one of may and the announcing of the new lighweight Client
we may trust that Postman keep safely those secret, but sharing very sensitive info some time conflict with corporate policies
not tested but looks like this opensource project get traction (+50 k stars on github and ) hoppscotch/hoppscotch: Open source API development ecosystem - https://hoppscotch.io (github.com)
but would be not as simple to ‘manage’ . Waiting for an official communication of Postman
Thank you @flasnemurex for pointing out the hoppscotch project. I will have a look at it too. My guess (and hope) is, that sooner or later an open source alternative will be profiting from the current “forced cloud” move of Postman.
I’m amazed by the lack of common sense through this initiative from the Postman team.
That’s definitely a huge fail.
A lot of people (me included) are already looking for a replacement.
I made this account just to reply here, and maybe get some good lead on alternative api clients.
(I have ZERO interest in using this account to login to Postman client and sharing company data into their cloud). This app has also become really really slow and bloated compared to before, don’t know what all information it is already collecting and sending out for analytics.
Looks like time to move on from this App. I can see this app will now lose users, which will lead to less incentive into its development, and this app will be finally taken to a grave and put to REST in an orange coffin.
Same as @q3dm17, only made this account to reply. Sad that Postman is being implemented this way and definitely will not get approved by my security department.
If you are fortunate like me, I still had the installer from an older version which I used to re-install Postman and add the following to my Windows hosts file to prevent automatic updates (which occur even with the Auto Update setting turned off).
Credit to a post on stack overflow.
I’ll just stay on an old version and continue using the Scratch Pad.
Hey folks ,
The FAQ section on the blog post address the questions and comments that have been raised in this topic.
This contains information about how Postman protects your data and it provides a link to our Security & Trust Portal, where you will find additional details about our product security, privacy, compliance, and reliability information.
If you’re still prevented from using Postman in a signed in state by your company’s security policies, you can reach out to our technical architects and solution engineers at firstname.lastname@example.org for further assistance.
Also, the FAQ section provides details about how you can
migrate your data from Scratchpad, into a Workspace, after signing up to an account.
For the folks who would still like to use Postman in a non signed in state, you can do so using the Lightweight API Client to send HTTP, WebSocket, gRPC, and GraphQL requests, to test your APIs.