Refresh Token Generation by logging in to an account

Is it possible to automate the process of logging into an account and retrieving the token from the URL via postman’s pre request script?

Details and Screenshots:
We are following 2 steps to authorize our API.

  1. We pass a client id and client secret to a post request.

  1. We navigate to a link, login with our credentials, take the token generated in the URL and paste it in the Pre Request Script.

This generates the bearer token which is used in every request.

The second step is currently done manually before executing the collection every time. I would like to know if there is way to automate this in postman.

Hey! :raising_hand_man: Great question,

Here’s a link to our learning center that has more info about OAuth 2.0.

You can fill out the auth info for your API under your collection’s authorization tab. Once you authenticate with your provider and have that code, Postman will automatically refresh it before any requests that it’s used in.

Programmatically, that might look something like this:

pm.sendRequest({ // From TwitchAPI - Requires your client id, client secret and the grant type of 'client_credentials'
       url: `${pm.collectionVariables.get("Twitch_Client_ID")}&client_secret=${pm.collectionVariables.get("Twitch_Client_Secret")}&grant_type=client_credentials`,
       method: 'POST',
       header: {
           'Accept': 'application/json',
           'Content-Type': 'application/x-www-form-urlencoded'
    }, function (err, res) {
        pm.collectionVariables.set("Twitch_Access_Token", res.json().access_token); // Update our token

Thanks for your help @Kevin
We are able to achieve this currently in our Pre-Request Script and I will try the same using OAuth. But in order to generate the bearer token, it requires a manual step of including a code every time before running the script. Do you have any idea on how to add and automate this via OAuth?


Right, so after authenticating for the first time and generating your token, Postman should be able to automatically refresh it after expiration.

OAuth 2.0 | Postman Learning Center
Auto-refresh is available when a refresh token is present. If no refresh token is present, the Auto-refresh access token toggle and the manual Refresh option aren’t available. To check if a refresh token is present, select Manage Tokens in the Token dropdown list. If a refresh token is not present, check with the authorization service. Postman can’t refresh the access tokens without the refresh token.


Can you please clarify?

It sounds like you need to send the “code” key\value with the OAuth request.

Therefore generating the code is actually the first step? Not the second?

How is the code currently generated? As that will determine if this aspect can be automated.

Have a look at the Microsoft docs. (Your endpoint might be a different product but the process will be similar). You need to hit the authorize endpoint first to get the code. (Which you can save as an environment variable to reuse in the token request).

Microsoft identity platform and OAuth 2.0 authorization code flow - Microsoft Entra | Microsoft Learn.

Using sendRequest more than once in a pre-request script can be problematic, as Postman\sendRequest is asynchronous in nature. I would recommend searching the forum on how to layer your code so the requests run in the correct order. Otherwise, the token request might run before the authorise request. I don’t have any examples of this as I try to avoid this situation at all costs.

Yes. I guess I didn’t put my question the right way. This code needs to be passed on for the POST request along with the client id and secret in order generate the bearer token. And this code expires in a few minutes.

ok, so the code can be passed using the same methods as the client ID and other secrets.

You’ve already got it defined in the body and it looks like you are using environment variables.

You just need to create an environment variable for code, and use it the same way you’ve done the client_id or client_secret.

It sounds like the question you are asking is related to automatically generating the code to be stored in that environment variable.

In which case, how are you currently (manually) generating the code?

Right. My question is whether it is possible to automate the code generation process.
Below are the steps followed to generate the code manually:

  1. Navigate to the below URL in the browser
  2. Login using our credentials
  3. Copy the code generated in the below URL and paste it in the postman script

ok, I don’t think that will work as the code grant_type requires you to use the browser to login with your credentials. (It’s all coming back to me now).

I have a few apps that require that but also allows other methods, so I use a grant_type that doesn’t require user interaction.

I’m using Postman for testing, and as the authentication is managed by Microsoft, I’m not generally that bothered about the authentication method, I’m interested on the page after this (or the response to the API).

I would test the code grant_type manually, and then use another method for more automated tests.

As ours are mainly internal apps, there is less of a security risk in having an application with more than one grant type.

The web application on the front end uses the code grant type so it secure from that point of view.

The code grant type is more secure than “password” though, even though they both generate the same bearer token.

Thanks @michaelderekjones for your response. I will investigate if there is a possibility of using other another method as an alternative to code grant_type.

If you are authenticating against Microsoft you can hit the following endpoint which should tell you the scopes allowed at an org level.{{tenantId}}/v2.0/.well-known/openid-configuration