Add API authorization details to requests in Postman

With a request open in Postman, use the Authorization tab to select an auth type, then complete the relevant details for your selected type. The correct data values will be determined by your API at the server side. If you're using a third-party API, refer to the provider's documentation for any required auth details.

Easier API authentication is available for certain public APIs. For more information, see Authentication for public APIs.

Select an authorization type

When you select a type from the Type dropdown list, Postman will indicate which parts of the request your details will be included in, for example the header, body, URL, or query parameters. Postman adds your auth details to the relevant parts of the request when you select or enter them, so you can preview how your data will be sent before you run the request.

For more details on setting up each type of authorization, go to Authorization types supported by Postman.

You can use these auth types with Newman and monitors as well as in Postman.

View authorization details

After you select and set up an authorization type, your auth data will appear in the relevant parts of the request, for example in the Headers tab. To show headers that were added automatically, select hidden.

Hover over a header to get information about where it was added. To change an auth header, return to the Authorization tab and update your configuration.

You can't override headers added by your Authorization selections directly in the Headers tab. If you need different auth headers from those autogenerated by Postman, alter your setup in Authorization, or remove your auth setup and add headers manually.

Your request auth can use environment, collection, and global variables. Postman doesn't save header data or query parameters to avoid exposing sensitive data such as API keys.

You can inspect a raw dump of the entire request including auth data in the Postman Console after you send it.

Inherit authorization

If you group your requests in collections and folders, you can specify auth details to reuse throughout a group.

By default, requests inside the collection or folder will inherit auth from the parent, which means that they'll use the same auth that you've specified at the folder or collection level. To change this for an individual request, make a different selection in the request Authorization tab.