API security is crucial, as it directly impacts your business’s success and safety. How well you secure your APIs can make or mar your product, and it is of utmost importance to spend time thinking about security.
I have seen developers work in Postman without properly securing their credentials, often leaving API keys exposed in shared environments or logging sensitive data in the console. For example, some developers unknowingly expose credentials when they make their workspaces public, allowing anyone to access sensitive API keys and tokens that are not properly stored.
In this post, I want to share some tips on how you can protect your data and API in Postman.
General Tips for Securing Your APIs in Postman
When working with APIs in Postman, taking proactive security measures is essential to prevent data leaks and unauthorized access. Implementing best practices ensures your credentials, tokens, and sensitive data remain protected. Below are some helpful tips on securely working in Postman.
1) The secret scanner is your friend
The Postman secret scanner is every developer’s knight. It constantly scans your public workspaces and documentation for any exposed secrets. It checks your variables and environments, schemas, etc for exposed secrets and notifies all Team and Workspace admins via emails and in-app notifications.
Admins are given a link to view all exposed secrets in a dashboard and an option to immediately replace them with a placeholder using a single button click. This helps mitigate security risks faster.
If you do not replace exposed secrets in a timeframe specified in the email, the secret scanner will automatically replace this data with a placeholder for you. For example, authorization secrets can be replaced with {{vault:authorization-secret}}, or <AUTHORIZATION_SECRET>.
Pro tip 1 : Whenever you want to show an example of some sensitive data, always use placeholder data before making your Workspace public. Maintain a private fork of your collection that you can continue to work in even after making your base collection public.
There’s a lot more you can do with the secret scanner in Postman. You can mark alerts as ‘false positives’, ‘won’t fix’, etc.
Pro tip 2: Don’t ever ignore the secret scanner notifications. While there may be false positives, always check to ensure you’re not exposing anything and staying safe.
Learn more about the secret scanner here
2) Avoid secret keys in test scripts, headers, params, etc
When working with test scripts, depending on your workflow, some developers often prefer to make HTTP calls from pre-request scripts. Some HTTP calls require auth credentials, and these auth credentials can be easily exposed if you’re logging data to the console, passing data to a template for visualization, etc.
If you need to use sensitive data in your pm scripts, always first store them in a vault, environment, or collection variable, then programmatically access the data from storage.
In some cases, Postman actively checks for any sensitive data in your scripts and truncates them before logging to avoid being exposed.
Similarly, you should also be very careful when adding request headers, query/path parameters, etc. These are places where we’ve observed a lot of secrets being exposed. Our variable helpers make it easy to store data from those places into the vault or collection/environment variables. Simply highlight the value, and you will see a pop up that helps you store the data more securely.
Here’s a list of places to take note of when making a workspace public:
- Request header
- Collection/Environment/Global Variables
- Query and Path Parameters
- Authorization helpers (API Key, Basic, OAuth, etc)
- Pre-request and Post-response scripts
- Request body
- URL bar
- Postman Console
3) Keep your credentials local with Postman Vault
Some users worry about storing their credentials in Postman environments and variables because it could potentially sync with Postman cloud depending on how it is stored. While the Postman cloud is safe and secure, we always encourage everyone to store their API secrets in the Postman Vault.
Postman Vault is a local encrypted storage that only you can access. Data stored in the Postman vault are not synced with the Postman cloud and can only be accessed using a vault key. Your vault key can be stored in your system’s password manager or securely elsewhere.
You can limit vault secrets to specific API domains, and link them to external password managers like Hashicorp, Azure Vault, 1Password, etc if you intend to share credentials with your team. Vault credentials can be programmatically accessed in postman scripts similar to how you would access environments, and collection variables.
Pro tip: When working with authorization helpers in Postman. Always use the Postman Vault.
Learn more about Postman Vaults
4) Help your API consumers stay secure with Guided Auths
Guided Auth helps you onboard API consumers to your public APIs faster and more efficiently. When you set up Guided Auths for your public APIs in Postman, your API consumers get a step by step guide on how they can make their first successful API call as soon as they start typing your domain name in the URL bar.
They can easily set up different kinds of authentication(OAuth 2.0, Client Credentials, PKCE, etc) depending on how your guided auth is configured.
Learn how to setup Guided Auths here
Once you have guided auths setup, you can help your API consumers stay secure by choosing to store their credentials after a guided authentication step in Postman Vault. Vault secrets added using Guided Auth are inside double curly braces ({{ }}). The prefix vault: is appended to the vault secret’s name, and a suffix is automatically appended with the authentication type.
e.g {{vault:postman-api-key:value}}
5) Current Values vs Initial Values
When using variables in Postman, it’s important to understand the difference between Initial Values and Current Values.
-
Initial Values are synced to the Postman cloud. If you share your collections, your variables become visible to your team and anyone who has access to that workspace.
-
Current Values are only stored locally on your machine and are not shared with others. This makes them ideal for storing sensitive API keys, tokens, or credentials.
Pro tip: Always ensure that sensitive data is stored as a Current Value to prevent accidental exposure. Use Initial Values to show examples of what the variable value could look like.
6) Authorization helpers are there to help
Postman provides authorization helpers that let you handle authentication securely without manually adding tokens or credentials in your request headers.
- Instead of manually copying access tokens, use the OAuth 2.0 helper to automatically fetch and refresh tokens.
- When using API keys, configure them in the authorization tab rather than adding them directly to request URLs.
7) Stop ignoring the warnings!
Postman does a great job at providing several warnings at different places when it suspects that something may be wrong. This warning can come as a UI popup, a push notification, an email, or status indicators on the UI depending on what it is you are trying to do. Always make sure you pay attention to these warnings and never ignore them.
It never hurts to double check to be sure you are not exposing any sensitive information.
Remember, your data will only be public if you make them public.
Pro Tip: When creating a new Workspace, always start with a Private or Team Workspace. Once you’re done making changes, review your work and then make it public. Ensure you always check thoroughly before changing a Workspace visibility to “Public”.
7) Enforce the Principle of Least Privilege(POLP)
Workspaces and Teams in Postman have Role Based Access Control(RBAC) integrated in them. We encourage teams collaborating in Postman to always give access and certain privileges to only those who need them. In a Postman Team, only individuals with super admin and community manager roles are allowed to manage all public elements. Therefore, we encourage you to only assign these roles to necessary people and have a standard review process in place for when Workspaces are being published to the public.
Learn more about managing public elements in Postman here
Final Thoughts
Securing your APIs is crucial, and Postman provides various tools to help you keep your secrets safe. By leveraging features like Postman Vault, the Secret Scanner, Guided Auth, Authorization Helpers, etc. you can significantly reduce the risk of exposing sensitive data.
Make sure you implement these best practices and regularly audit your Postman workspaces to ensure that your API security remains strong.
Got questions? Found any of this helpful? Let me know in the comments!
Happy coding and stay secure!
Cheers!