Secret Variable Type in public collections

Hello,

I am trying to create a public sample collection. In order to the collection to work it requires to have basic authentication. I understand the collection is public, but, I rather no to share credentials or sensitive information. I was trying to find out if it could be possible to use secret variables and that those variables remain secret for the public part. It seems you are not able to edit variables, but you still able to see secret variables values. Is there any way to accomplish this task without switching to per invitation only?

Thanks!

Hey @cryosat-participan11 :wave:

I wouldn’t recommend using the secret type as that’s not really giving you any level of security, it’s more of a UI based masking for “over the shoulder” type attacks.

I would make use of the Postman Vault, to store all of your sensitive data:

For the Public Collections, it would only show the variables syntax {{vault:token}} for example but for you, if you have that set in your vault, it would resolve to the value you have set.

An example of this can be seen on this Public Collection:

https://www.postman.com/postman/workspace/15-days-of-postman-for-testers/request/1559645-18cd0224-e894-4366-b82e-e2223b835447?tab=headers

2 Likes

I did try with vault, but then, if I understood correct, the vault is to prevent sensitive information to be sync with the cloud, so they wont be available to the public collection.

In the example you shared, there is an 401 response because “{{vault:postman_api_key}}” is not available?

That’s acting as a placeholder so if you (Or someone else) have a Vault variable with that name, it will resolve the variable at runtime.

It would be throwing that error because it thinks the token value is the string {{vault:postman_api_key}} .

You wouldn’t be sharing anything other than what you have called the variable.

I see, well, it seems there is no way yet to make a collection public without sharing sensitive data values or upgrade plan. Thanks for replying @danny-dainton

If you still referring to the same workflow, as I mentioned adding something like {{vault:variable_name}} as a placeholder in a URL, Headers or another place that it’s required - Wouldn’t be sharing anything sensitive.

The user of the other side of that would be required to add in there own details in order for the request to work.

If you’re making an element Public, all the details within that will be Public. There isn’t a process of making it Public, hiding some of the details from view and then having it still work. You can add placeholder variables (These would work for you if only placed in the current value/Postman Vault) but there would need to be a process that you adopt to allow your users to still use those requests.