Skip to main content

Authentication

Authentication in Postman

Most real-world APIs require authentication. Postman supports all common auth methods so you can test secured endpoints without writing any code.

You can set authentication at two levels:

  • Request level — applies to one request only
  • Collection level — applies to all requests in the collection (recommended)

Setting Auth at the Collection Level

Setting auth once on the collection saves you from adding it to every request individually:

  1. Click on the collection name in the sidebar
  2. Go to the Authorization tab
  3. Choose your auth type and fill in the values
  4. In individual requests, set the Authorization tab to "Inherit auth from parent"

Now all requests in the collection use the collection-level auth automatically.

Bearer Token (JWT)

The most common auth method for modern APIs. The server issues a token after login; you include it in every subsequent request.

In the Authorization tab:

  • Type: Bearer Token
  • Token: {{TOKEN}} (use a variable — see Environments)

This adds the header:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Auto-capture Token After Login

Set the token automatically using a test script on your login request:

Login Request → Tests
const json = pm.response.json();

if (pm.response.code === 200) {
  pm.environment.set("TOKEN", json.token);
  console.log("Token saved:", json.token);
}

Now whenever you run the login request, the {{TOKEN}} variable updates and all other requests use the fresh token.

API Key

Some APIs use a static API key in a header or query parameter.

In the Authorization tab:

  • Type: API Key
  • Key: x-api-key (or whatever header the API expects)
  • Value: {{API_KEY}}
  • Add to: Header

Or if it's a query parameter:

  • Add to: Query Params

This sends:

GET /api/data?api_key=your_key_here

or

GET /api/data
x-api-key: your_key_here

Basic Auth

Sends a base64-encoded username:password in the Authorization header. Used by older APIs and tools like Jenkins.

In the Authorization tab:

  • Type: Basic Auth
  • Username: {{USERNAME}}
  • Password: {{PASSWORD}}

Postman encodes it automatically. The header it sends looks like:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
caution

Basic Auth sends credentials in every request (just base64 encoded, not encrypted). Always use it over HTTPS — never over plain HTTP.

OAuth 2.0

OAuth 2.0 is used by services like Google, GitHub, and Spotify. It's more complex but Postman has built-in support to handle the flow.

In the Authorization tab:

  • Type: OAuth 2.0
  • Click "Get New Access Token"
  • Fill in the OAuth provider's details:
    • Token Name: a label for this token
    • Grant Type: Authorization Code (most common)
    • Callback URL: https://oauth.pstmn.io/v1/callback
    • Auth URL: from the provider's docs
    • Access Token URL: from the provider's docs
    • Client ID and Client Secret: from your app registration
    • Scope: permissions you're requesting

Click "Request Token" — Postman opens the provider's login page in a browser. After you log in and authorize, the token is captured automatically.

No Auth

For public endpoints:

  • Type: No Auth

Or just leave the Authorization tab empty.

Handling Token Expiry

Tokens often expire after a short time. To handle this automatically, use a pre-request script on the collection that refreshes the token if it's expired:

Collection → Pre-request Script
const tokenExpiry = pm.environment.get("TOKEN_EXPIRY");
const now = Date.now();

if (!tokenExpiry || now > parseInt(tokenExpiry)) {
  // Token is missing or expired — fetch a new one
  pm.sendRequest({
    url: pm.environment.get("BASE_URL") + "/auth/login",
    method: "POST",
    header: { "Content-Type": "application/json" },
    body: {
      mode: "raw",
      raw: JSON.stringify({
        email: pm.environment.get("ADMIN_EMAIL"),
        password: pm.environment.get("ADMIN_PASSWORD"),
      }),
    },
  }, (err, res) => {
    if (!err && res.code === 200) {
      const json = res.json();
      pm.environment.set("TOKEN", json.token);
      // Set expiry 1 hour from now
      pm.environment.set("TOKEN_EXPIRY", Date.now() + 3600 * 1000);
    }
  });
}

This script runs before every request in the collection. If the token is expired, it logs in automatically and updates the {{TOKEN}} variable.

Quick Reference

Auth TypeWhen to use
Bearer TokenJWT-based APIs, most modern REST APIs
API KeySimple key-based APIs, public APIs
Basic AuthLegacy APIs, admin tools, HTTP proxies
OAuth 2.0Third-party integrations (Google, GitHub, Stripe)
No AuthPublic endpoints

Debugging Auth Issues

If you get a 401 Unauthorized:

  1. Check the Console (bottom of Postman) — it shows the exact headers sent
  2. Verify the token hasn't expired
  3. Check the header name — is it Authorization or x-api-key or something custom?
  4. Make sure there's no extra space before Bearer in the token value
  5. Confirm the environment variable is set (look at the variable value in the environment panel)