What are best practices for handling secrets/keys/passwords?

I have a couple of questions regarding keys and workspaces:

Question 1:
What is the best way to handle secrets/keys/passwords with public workspaces so you can use your own credentials but others won’t see them? I looked over the documentation and it sounds like variables and environments are the way to go but I am still not clear on what environments/initial/current values would NOT be shared when making a workspace public.

I took a looked at Kin Lane’s Deep Art Effects workspace to see how he did it. I see he used a variable which, makes sense. When I click the Environment drop-down in the top right of the workspace I see two options: “No Environment” and “Deep Art Effects”. If I view the “Deep Art Effects” environment by selecting it and clicking the eyeball I see keys. For my own collection, I don’t want those to be visible.

Question 2:
Is there a way to prompt the user for a key/secret/etc if they don’t populate the variable? I can provide instructions telling the user to provide their own key and where to put it but it would be super cool if there was a way to prompt the user for their key if they try to execute a request and they have not populated the variable. If they don’t read the documentation, it will be dependent on the API to notify the user they are missing credentials and the user to know Postman well enough to figure out where to put them.

Thanks! -Mark Foster

Take a look at this blog entry – How to Use API Keys in Postman | Postman Blog

What we did in our project is set “INITIAL VALUE” to what we want publicly visible, and then “CURRENT VALUE” to the actual key. When we view the public workspace using Incognito browser window that is not logged in, we see the “CURRENT VALUE” is set to whatever the initial value is. Everyone in our team can see “CURRENT VALUE” so if you don’t want to share within the team, you need to make sure that “CURRENT VALUE” is placeholder when you save; then just edit without saving. If you click the “Reset All” button in the environment it will copy all of the “INITIAL VALUE” back into “CURRENT VALUE” so then you can save with confidence that you aren’t leaking anything.

If you use the native application instead of the web version, you may want to go your settings and turn off “Automatically persist variable values.”

I like your #2 question – and agree it would be a super cool feature. Right now what our team has been doing is in the pre-request script we check the key for something we know will be in the INITIAL value (but should NOT be in the API key [often spaces aren’t in the keys but ARE in the initial value]) and then fail a test with a descriptive comment saying where which key was not set. You still have to hope the user sees the failing test, but if they are using the runner then failure are typically more obvious. The test looks something like…

var googleMapsApiKey = pm.variables.replaceIn('{{googlemaps_api_key}}');
pm.test("Google API key is set correctly", function () {
    pm.expect(googleMapsApiKey.split(' ').length).to.equal(1, 'Your API key should not have any spaces in it.  Please check your environment variables currentValue for googlemaps_api_key.');
});
1 Like

That is super helpful. Thank you!

1 Like

@mkfoster For your question#2 would you mind opening a “feature” at Issues · postmanlabs/postman-app-support · GitHub? I want to make sure your idea doesn’t get missed by the product team.

Done. Prompt the user to fill in missing variables · Issue #9445 · postmanlabs/postman-app-support · GitHub

1 Like

With V11 of Postman, we have introduced the Postman Vault (Store secrets in your Postman Vault | Postman Learning Center), which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.