Sensitive Information in Variables

In Postman prior to version 6 we were using global variables to store test passwords or keys that were unique to the user. It was ideal since the globals were not shared or associated with any other environment. It also helped with security since no one could accidentally save their password for the rest of the team to see. I’ve been told by support that with version 6 of Postman, global variables are now associated with a workspace and shared. This defeats the purpose of what we were using them for.

I’m okay if this use case is not intended, but how is the community solving this issue?
How do you store sensitive information so that it’s not accidentally shared beyond your machine?

2 Likes

@alexkahoun - Globals have a one to one association with the workspace. In your personal workspace, only you have access to your globals. In a team workspace, the globals are accessible to the members of that workspace.

Environments have a similar behavior except that they do not have the one-to-one relationship constraint with the workspace.

So you can have an environment in your personal workspace and then add a copy of that to a team workspace. Before adding that, make sure to replace the secret values with dummy credentials. This is similar to the environment template sharing behavior that was available in pre 6.0 version of the app.

Thanks @pratik. I was afraid that was the case. All it takes now is someone forgetting to remove their personal information and saving. Hopefully a new mechanism is provided in future versions to accommodate this in a better fashion.

2 Likes

I would love a feature were we could define some variables as “private” in an environment (the variable name would be shared but not the value).
We are working with a shared workspace in which we have 2 environments (staging and production), credentials are defined per user and per environment. I haven’t find a smart way yet to save my username/password for each environment without sharing it with the other workspace users (global var would not work in that case either as the credentials are not the same on both env).

4 Likes

@oliv.braun As a workaround you could create another environment that has only the keys but not the values.

Hi @pratik,

This is a show stopper for my team. Syncing API keys and alike is not something our team or management would accept. Is there a way to stop Postman from syncing environments at all?

We understand the issue and are working on this. I will post an RFC for our approach in the community thread this week.

Thanks @abhinav,

My team is ready to sign up once sharing secrets is optional.

That’s great to hear! I have posted the RFC here: Sessions in Postman. Let me know what you think.

2 Likes