#1: do not embed your api keys directly in code
Instead of hard-coding your API keys, you can store them as environment variables in Postman. In the same way you use variables for parameterized data, you can also use variables to decouple your secrets from the rest of your code. Storing your API key as an environment variable allows you to revoke, or refresh, the value in a single spot. (If environment variables aren’t ideal for your use case, you can also choose another type of variable.)
Let’s follow an example in which I use an API key stored as an environment variable.
Create an environment and add an environment variable called
If you’re sharing an environment with your team, keep your tokens private by only updating the current value. This also ensures that you don’t override the team’s value.
For global, collection, and environment variables, you can distinguish between an initial and current value. The current value is local to your session within your Postman app. If you log out of Postman, those values will disappear. The current value is never synced to your account or shared with your team—unless you choose to persist it—which keeps it more secure.
Let’s walk through an example in which I share an environment with my team without sharing my personal API key.
Make sure “Automatically persist variable values” is toggled OFF in your general settings, so that you do not persist the current value of variables to the initial value:
Share the environment with your team by sharing it in a team workspace:
Accessing apis with client credentials flow
Client Credentials Flow is a one of the grant types in OAuth 2.0 in which client applications use client_id, client_secret and sometimes a scope in exchange for an access_token to access a protected API resource.
Add jwt to headers in postman
There are 2 ways to send your JWT to authorize your requests in Postman: adding a header or using an authorization helper.
Is there a way to fully automate this?
Before we begin writing the scripts for automation, let’s add the following new collection variables:
The preceding screenshot shows the following newly added variables:
WeatherApi_Token_CreatedAt– Holds the token generation date.
WeatherApi_Token_ExpiresIn– Holds the token expiry expressed in milliseconds.
WeatherApi_Jwt– Holds the value of
We’ll leave the variable values empty as we will be populating them dynamically from the script that we are going to create next.
Learning the basic
If you’ve been using Postman to peform basic Web API testing, feel free to skip this part. But if haven’t tried using Postman before and would like to know how to use it to test your Web APIs, then keep reading as I’ll show you how we can easily setup the configuration for you to be able to test protected Web APIs.
Postman is really a handy tool to test API’s without having you to create a UI and it’s absolutely free. In fact, it offers a ton of features that makes it a power tool for managing and testing APIs. If you haven’t installed it yet, go ahead and download it here.
After downloading, install it in your machine so you can start testing. The following screenshot shows the Postman app running on my machine using v8.0.6 – the latest version as of this time of writing.
Option 2: pre-request script to run before each request
This option is good if you’re working with a large collection that might take a while to run, or you have a short-lived token that could expire soon. In this case, add some logic in a pre-request script to check if the current token is expired.
If the token is expired, get a fresh one (e.g. using pm.sendRequest()) and then reset your new token’s time to live. With this approach, remember that you can use a collection- or folder-level script to run this check prior to every request in the collection or folder.
Rest api и postman
Первый заголовок представляет собой адрес, куда мы отправляем свой запрос.
Все заголовки прописаны в спецификации протокола HTTP. Заголовок имеет имя. В первом примере мы имеем имя заголовка «Host», после двоеточия указывается значение заголовка. В нашем примере это «ru.wikipedia.org».
Вторая роль заголовков — описание того, кто именно обращается к серверу (еще говорят «стучится»). Мы помним, что важным принципом REST является stateless, что значит сервер не хранит никакую информацию об обращающихся к нему клиентах. Обращаясь к серверу, мы должны объяснить кто мы такие, что мы умеем. Например Accept-language показывает, на каких языках работает клиент.
Надо сказать, что вариантов заголовков может быть множество и они, как правило, явно прописаны в документации.
Scripts to check token expiration
JWT tokens don’t live forever. After a specified period of time, they expire and you will need to retrieve a fresh one.
Once again, there are 2 approaches for checking the expiration of your JWT. The approach you use choose will depend on your specific circumstances.
What is jwt?
JSON Web Token (JWT) is an open standard for securely transmitting information between parties as a JSON object. It’s pronounced jot, or as our Dutch friends would say, yaywaytay.
In this article we’ve discussed several authorization methods. In terms of authorization, Postman is much more powerful though. OAuth 2.0, Hawk and some more specific authorization methods are left aside today. Well, that’s a nice reason to get back to this topic one day, isn’t it? 🙂