Simple workflow with secrets

my 30 days badge workspace is public

in day 2 I have learned:
It’s very important to add sensitive values like an API key to the CURRENT VALUE (and not INITIAL VALUE) of your public workspace since initial values can be viewed publicly in a public workspace. Storing sensitive values only in CURRENT VALUE keeps your secrets private in a team or public workspace.

ok, when I come back for a session, the current values are gone:
Current values are restricted to your session within your Postman app. If you log out and log back into Postman, those values will be gone. The current value is never synced to your account or shared with your team—unless you choose to persist it.

but, persist would:
Persisting variable values will replace initial values with current values.

so, how would the ideal workflow looks like?
every time I log in I have to paste into the secret(s) to the environment from an external key-store to hold it secure?
because, the API-Key for example is shown only once - when generating it …

perhaps it is obvious how to act.
thanks in advance for any help

Those secrets should be in a key vault\key store as you have mentioned.

Do not store them alongside the code in your code repository, they are a separate type of artefact and should be treated accordingly.

Yes, its a pain to have to keep copy and pasting them, but it keeps them secure.

When you add your collection to a CI tool\pipeline, then one of the first tasks in the pipeline would be to retrieve the relevant secrets and send that in the command line. (which would automate it at that point but still means you have to copy and paste when working locally with the collection).

If you don’t have one, you might want to consider creating a policy that covers this for within your organisation (or get your info security\governance team to do it).

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.