Authorization types supported by Postman

Several types of authorization are supported by Postman. Select a type from the Type dropdown list on the Authorization tab of a request. You can choose an authorization type on requests, collections, or folders.

No auth

Postman won't send authorization details with a request unless you specify an auth type. If your request doesn't require authorization, select No Auth from the Authorization tab Type dropdown list.

API key

With API key auth, you send a key-value pair to the API either in the request headers or query parameters. In the request Authorization tab, select API Key from the Type list. Enter your key name and value, and select either Header or Query Params from the Add to dropdown list. You can store your values in variables for extra security.

Postman will append the relevant information to your request Headers or the URL query string.

Bearer token

Bearer tokens enable requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a text string, included in the request header. In the request Authorization tab, select Bearer Token from the Type dropdown list. In the Token field, enter your API key value. For added security, store it in a variable and reference the variable by name.

Postman will append the token value to the text Bearer in the required format to the request Authorization header as follows:

Bearer <Your API key>

If a custom prefix is needed, use an API Key with a key of Authorization.

JWT bearer

Postman also supports generating JWT bearer tokens to authorize requests. You can enter a payload in an editor, and JWT tokens are generated and added to the request. In the request Authorization tab, select JWT Bearer from the Type dropdown list.

• Add JWT token to - Select Request Header or Query Param to specify how the JWT token will be added to your request.

• Algorithm - Select an algorithm to use for the JWT token. Supported algorithms include:

  • HS - HMAC with SHA
  • RS - RSA (RSASSA-PKCS1-v1_5) with SHA
  • ES - ECDSA with SHA
  • PS - RSA (RSASSA-PSS) with SHA

• Secret - The secret that’s used with the HMAC-SHA algorithm.

• Secret Base64 encoded - If the secret is encoded in the base-64 format.

• Private key - The private key for signing the token for RS, ES, and PS algorithms. Select Select file to upload a private key in PKCS #8 format.

• Payload - Enter the payload data for your JWT token, in JSON format.

In the Advanced configuration section, you can also configure the following items. If you don't configure them, they are generated automatically.

• Header prefix - An optional prefix to use at the start of headers. This header prefix is part of the request and not a part of JWT.

• Headers - Any custom headers you also want to send in the JWT token. Headers pertaining to the selected algorithm are automatically added.

Basic auth

Basic authentication involves sending a verified username and password with your request. In the request Authorization tab, select Basic Auth from the Type dropdown list.

Enter your API username and password in the Username and Password fields. For extra security, store these in variables.

In the request Headers, the Authorization header passes the API a Base64 encoded string representing your username and password values, appended to the text Basic as follows:

Basic <Base64 encoded username and password>