Tokens not save correctly in environment variables

I have a collection in which a folder has been created that retrieves tokens from OKTA and storesthem as a variable in the environment. This is done for 3 users, user A, user B and user C.

Process is in three steps, authentication, authorization and token:

The variable for user A is set properly however the variable for user B also contains user A’s token.
Deleting cookies does not help. Removing the variable and creating it again makes no difference.

For all users this same code snippet is used ( only user is different :wink: )

var response = pm.response.json();

pm.test('Getting tokens is successfull', function () {


Any ideas?

  • Platform Details:
    Postman for Mac : Version10.22.2
    UI version : 10.22.2-ui-240112-1641
    Desktop platform version: 10.22.0
    Architecture : arm64
    OS platform : OS X 23.2.0

  • Tags: collections

Hi @rvdlouw. Welcome to the Postman Community!

A few asks/questions.

  • Can you share the structure of your collection?
  • Is there a separate request for fetching the access tokens for each users, or you’re doing that in one single request? I’m guessing the flow is for each request — authenticate user A → authorize user A → fetch user A token, then repeat for user B and C. Is there a loop anywhere in this flow?
  • Can you share how you’re storing the variables for each user?

Hi @gbadebo-bello
Structure of collection :

There are seperate requests for each user containing three calls each : authentication, authorization en token. So user A is handled until token is fetched, Then userB and so on. Tokens are set in environment A with :


It looks like the second token ( userB ) has the value from token userA.

I would suggest throwing in a bunch of console statements which display what’s set at what point.

Adding some of these after setting the values and in the areas that you know things are changing.


Double check the user information that’s set in the request bodies or the request auth to ensure some unexpected isn’t in there.

Hi @danny-dainton Thanx for the quick response :smiley:. I added some console logs and used the atob function to break down the JWT and what i now notice is that the value of the JWT of the second user is the same value of the first user.
So the token fetch of the second user returns the same token as the first user, while the credentials are different :thinking:. Looks like some caching to me. Dive in deeper tomorrow.
Thanx so far

Hi @danny-dainton @gbadebo-bello.

Found the issue!
There is a secure cookie which confused things and keep active in all requests. I did some experiments with cleaning cookies via cookies.jar. First results had no effect but after adding * to the allowlist :

and replace the domainnames in the script with the specific urls (incl. https):

const jar = pm.cookies.jar()
jar.getAll("https://xxxxxxxxxxxxx",function(error, cookies){
    console.log("Cookies : ", cookies)
    console.log("Error: ", error)
1 Like

Awesome to hear you found the issue and have a fix in place. :trophy:

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.