Token works for "get" but fails for "post"

Hi all,
I’ve used Postman a few times to get and remove account information from a parter. When I went in this morning to do it again, My Bearer Token worked for to retrieve data, but not to remove it.

I’ve cleared cookies and reset the token a number of times and can’t figure out why I’m getting an “401 Unauthorized” error for the POST, but not GET.

Is there anything else I can check?

Hi @asrch

Are you able to share any screenshots so we can see what you are submitting within your call?

For security reasons, I need to obfuscate a few things, but here’s the one that worked:

This is the one that did not:

The API key and Tokens match. Also, under “Authorization” I used to be able to reset the token as needed, but I cannot find that option anymore either.

I’ve since added the “Content Type” to the failing request.

What auth options are set in your ‘Authorization’ tab (for both)?

Also, looking at your screenshots, your ‘GET’ has something set inside the ‘Settings’ Tab, whereas your ‘POST’ does not. Is this intentional?

It’s like this now for both requests. Earlier on Friday, it was giving me the option to reset the token along with other options (sorry no screenshot for that). But I cannot find that option anymore.

For “Settings” I just reset to default, that cleared the alert.

Are the options you are referring to the same as those for ‘Oauth 2.0’?

Yes, that’s it. I would just choose the button at the bottom and it would generate a token that was good for a certain number of hours (I think - I’d always have to reset it when I logged back in. I changed the “type” and see the options again, but now am getting authorization errors when I try to get a new one.


I didn’t even realise that you could set the authentication to OAuth.

The way I’ve been doing this is by having a sendRequest as a pre-request script.

LOL. I’ll have to look at this at some point.

1 Like

I’m wondering if I accidentally removed my credentials. What is supposed to go in "Client ID and “Client Secret”? The API Key? If I try to get a new code, I get this error:

Also, is the “Auth URL” and “Access Token URL” supposed to be the same as the api URL?

As far as I am aware… The auth URL will be the URL the information is sent to, to auth the user before being redirected back to the main URL.

The client secret and client ID will be information tied to the API (not the API key, kind of, more like a username and password for generating tokens) … it is used specifically for auth.

I don’t have loads of knowledge on Oauth etc. but hopefully, that helps? …

This diagram also might help explain the flow;

The client_ID is basically the application you are connecting to and needs to come from your administrator.

The client_secret is related directly to the client_ID and also needs to come from your administrator.

These are usually sensitive data and should be setup as “secret” environment variables, so they don’t end up in your code repository (or Postmans) or in the code (Pre-request scripts or Tests tab).

The following is an example of using sendRequest with a pre-request script that authenticates to Microsoft via OAuth2. This returns a token_ID that gets used as the BearerToken for the next request which just uses the URL of the application home page. It basically bypasses the Microsoft login as we don’t really want to test that part of the application.

In the screenshot posted by @w4dd325 , I think the Auth URL is the URL for the API you want to connect to, and the Access Token URL is the token provider (like Microsoft in this example).

pm.test("Check for collectionVariables", function () {
    let vars = ['clientId', 'clientSecret', 'tenantId', 'username', 'password', 'scope'];
    vars.forEach(function (item, index, array) {
        console.log(item, index);
        pm.expect(pm.collectionVariables.get(item), item + " variable not set");
        pm.expect(pm.collectionVariables.get(item), item + " variable not set"); 

    if (!pm.collectionVariables.get("bearerToken") || > new Date(pm.collectionVariables.get("bearerTokenExpiresOn") * 1000)) {
            url: '' + pm.collectionVariables.get("tenantId") + '/oauth2/v2.0/token',
            method: 'POST',
            header: 'Content-Type: application/x-www-form-urlencoded',
            body: {
                mode: 'urlencoded',
                urlencoded: [
                    { key: "client_id", value: pm.collectionVariables.get("clientId"), disabled: false },
                    { key: "scope", value: pm.collectionVariables.get("scope"), disabled: false },
                    { key: "username", value: pm.collectionVariables.get("username"), disabled: false },
                    { key: "password", value: pm.collectionVariables.get("password"), disabled: false },                    
                    { key: "client_secret", value: pm.collectionVariables.get("clientSecret"), disabled: false },
                    { key: "grant_type", value: "password", disabled: false },
        }, function (err, res) {
            if (err) {
            } else {
                let resJson = res.json();
                pm.collectionVariables.set("bearerTokenExpiresOn", resJson.expires_in);
                pm.collectionVariables.set("bearerToken", resJson.id_token);

One query I have. Are you sure you have permissions to POST to the API. If the GET request is working, then it might be a permissions thing.

Thank you - I’ll dig further into this. I’ve also reached out to the administrator. I know my permissions haven’t changed; I ran both requests just a few weeks ago and had no issues, and I’m the only one who’s worked on this project.

Does the GET request still work? Or has that stopped working now as well?

No - neither work now but I’m sure my token is expired. Unfortunately it won’t give me a new one, so I think in all my messing around my authentication got “pooched”. I am getting a new secret and will try starting over at square one.

UPDATE: I was able to get the authentication sorted out and the GET request is working again. I did learn that our partner is having issues that prevent the POST function at this time.

Thank you all for your support!