Create and manage vault secrets

Add vault secrets to your Postman Vault and reuse them in your local instance of Postman. Then you can reference vault secrets in your HTTP collections and requests, variables, and the Collection Runner. Only you can access and use your encrypted vault secrets, and vault secrets aren't synced to the Postman cloud.

You can also use Guided Auth to add vault secrets that have authentication credentials for public APIs, and reference them in your HTTP requests.

Add sensitive data as vault secrets

After you save your vault key, you can add sensitive data, such as API keys and passwords, to your Postman Vault and reuse them in your local instance of Postman. You can add secrets from the HTTP request builder. Then you can use vault secrets in your local instance of Postman.

You can't set or access vault secrets in scripts.

You can also create an integration (Enterprise teams only) that connects your Postman Vault with external vaults, such as Azure Key Vault. This enables you to link vault secrets with sensitive data stored in external vaults, and reuse it in your local instance of Postman.

Vault secrets aren't preserved in your Postman Vault after signing out of Postman. This means that references to the secret will be unresolved when you sign in to Postman. You can add your vault secrets back to your Postman Vault after you sign in.

To add secrets to your Postman Vault, do the following:

  1. Open your Postman Vault.

  2. Enter the following values in an empty row:

    • Key - The name of the vault secret. Use the name to reference the secret.

    • Value - The value used when sending requests in your local instance of Postman. It's never synced to your account or shared with your team.

      To link vault secrets with an external vault, enter a name for the vault secret, hover over the Value cell, then select the vault integration icon Vault icon. Select the external vault you want to create an integration for, then you'll be prompted with next steps. Learn how to integrate your Postman Vault with an external vault.

      To show or hide a vault secret's value, hover over the secret and select the eye icon Unmask secret icon.

    • Allowed domains - The comma-separated list of domains and subdomains you're allowed to send requests to with the vault secret. This enables you to prevent unintentional disclosure of sensitive data in your vault secret. By default, you can include vault secrets in requests to any domain and subdomain. Select the empty cell then enter your allowed domains.

      If you specify allowed domains or subdomains for a vault secret, you can only reference it at the request level.

      To allow sending requests to any subdomain of an allowed domain, use * to represent any subdomain. For example, add *.example.com to allow sending requests to any subdomain of example.com.

    Add secrets to Postman Vault

    Changes are automatically saved to your Postman Vault.

To set data as vault secrets from the request builder, do the following:

  1. Select the data you need. You can select data from the URL builder, the Params tab, the Authorization tab, and the Headers tab.

  2. Select Set as variable.

  3. Select + Set as new variable.

    Set as new variable

  4. Enter the Name of the vault secret, confirm that the Value is correct, and select Vault as the scope.

  5. Select Set Variable.

    Set as new vault secret

You can also reference vault secrets that don't exist yet, then add new secrets to your Postman Vault. In the request builder, enter a name that doesn't exist using the following syntax: {{vault:secret-name}}. You can enter a name in the URL builder, the Params tab, the Authorization tab, and the Headers tab. Hover over the unresolved reference to the secret, enter the value, then select Add Secret.

Set as new vault secret

Use vault secrets

You can reference vault secrets in your HTTP collections and requests from the URL builder, the Params tab, the Authorization tab, the Headers tab, and the Body tab. You can also reference vault secrets as the values of your global, environment, and collection variables. You can use the Collection Runner to manually run collections that reference vault secrets.

You can't set or access vault secrets in scripts.

If you're using the Postman web app to send requests with references to vault secrets, you must use the Postman Desktop Agent or the Postman Browser Agent.

If you're referencing vault secrets linked from an external vault, you must use the Postman desktop app. Learn about external vault integrations.

Put the vault secret inside double curly braces ({{ }}) and append the prefix vault: to the vault secret's name, enabling you to reference it throughout your workspaces. For example, to reference a vault secret named "postman-api-key", use the following syntax:

{{vault:postman-api-key}}
Reference vault secrets in Postman

To learn how to troubleshoot unresolved vault secrets, see Troubleshoot vault secrets.

Vault secrets stored in your Postman Vault are masked by default when they're logged to the Postman Console. To edit whether vault secrets are masked in the Postman Console, select Settings icon Settings, then turn the toggle on or off next to Mask vault secrets.

If you reference a vault secret as the initial value of a variable, such as an environment variable, the reference to the secret (for example {{vault:secret-name}}) is synced using Postman's cloud servers, and shared with anyone who has access to the workspace. The vault secret's value stored in your Postman Vault isn't synced or shared. Learn more about initial and current values.

If you're using the Postman web app with Safari as your web browser, it deletes vault secrets from your local instance of Postman after seven days of inactivity. Use a different web browser if you want your vault secrets available for more than seven days without activity in the Postman web app. Learn about the browser requirements for the Postman web app.

Edit vault secrets

You can edit vault secrets stored in your Postman Vault by updating them and their allowed domains, changing a vault secret's name, making vault secrets unavailable, or deleting vault secrets.

To edit vault secrets, select Vault icon Vault from the Postman footer. You can take the following actions:

  • To filter the list of vault secrets by name, enter text in the Filter secrets box.
  • To sort the list of vault secrets, select a column header. You can toggle between ascending and descending order.
  • To add a new vault secret, select Add new secret in the bottom row of the table.
  • To update the key or value for the vault secret, select the relevant cell.
  • To delete a vault secret, hover over a secret and select the delete icon Delete link icon.
  • To update the list of allowed domains, select the empty cell or list of domains.
  • To make a vault secret unavailable without deleting it, clear the checkbox next to the secret. Any references to the secret will be unresolved. To make the secret available again, select the checkbox.
  • To link a different secret from an external vault, select the vault integration icon Vault icon next to the vault secret you want to update, then select the edit icon Edit icon.
Edit vault secrets

Changes are automatically saved to your Postman Vault.

Last modified: 2024/04/29

Postmanaut dancing. Illustration.