> For clean Markdown content of this page, append .md to this URL. For the complete documentation index, see https://learning.postman.com/llms.txt. For full content including API reference and SDK examples, see https://learning.postman.com/llms-full.txt.

# Get detected secrets locations

GET https://api.getpostman.com/detected-secrets/{secretId}/locations

Gets the locations of secrets detected by Postman's [Secret Scanner](https://learning.postman.com/docs/administration/secret-scanner/).

Reference: https://learning.postman.com/api-docs/api-reference/secret-scanner/get-detected-secrets-locations

## OpenAPI Specification

```yaml
openapi: 3.1.0
info:
  title: Postman API
  version: 1.0.0
paths:
  /detected-secrets/{secretId}/locations:
    get:
      operationId: getDetectedSecretsLocations
      summary: Get detected secrets locations
      description: >-
        Gets the locations of secrets detected by Postman's [Secret
        Scanner](https://learning.postman.com/docs/administration/secret-scanner/).
      tags:
        - secretScanner
      parameters:
        - name: secretId
          in: path
          description: The secret's ID.
          required: true
          schema:
            $ref: '#/components/schemas/secretId'
        - name: limit
          in: query
          description: The maximum number of rows to return in the response.
          required: false
          schema:
            $ref: '#/components/schemas/limit'
            default: 10
        - name: cursor
          in: query
          description: >-
            The pointer to the first record of the set of paginated results. To
            view the next response, use the `nextCursor` value for this
            parameter.
          required: false
          schema:
            $ref: '#/components/schemas/cursor'
        - name: workspaceId
          in: query
          description: The workspace's ID.
          required: true
          schema:
            $ref: '#/components/schemas/workspaceId'
        - name: since
          in: query
          description: >-
            Return only results created since the given time, in [ISO
            8601](https://datatracker.ietf.org/doc/html/rfc3339#section-5.6)
            format. This value cannot be later than the `until` value. To use
            `time-numoffset` format, you must use `%2B` URL-encoding for the `+`
            character.
          required: false
          schema:
            $ref: '#/components/schemas/sinceDateTime'
        - name: until
          in: query
          description: >-
            Return only results created until this given time, in [ISO
            8601](https://datatracker.ietf.org/doc/html/rfc3339#section-5.6)
            format. This value cannot be earlier than the `since` value. To use
            `time-numoffset` format, you must use `%2B` URL-encoding for the `+`
            character.
          required: false
          schema:
            $ref: '#/components/schemas/untilDateTime'
        - name: resourceType
          in: query
          description: Return only results that match the given resource type.
          required: false
          schema:
            $ref: '#/components/schemas/resourceType'
        - name: x-api-key
          in: header
          required: true
          schema:
            type: string
      responses:
        '200':
          description: Successful Response
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/getSecretsLocations'
        '400':
          description: Bad Request
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/commonErrorTypeTitleStatusInstance'
        '401':
          description: Unauthorized
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/commonErrorTypeTitleStatusInstance'
        '403':
          description: Forbidden
          content:
            application/json:
              schema:
                $ref: >-
                  #/components/schemas/GetDetectedSecretsLocationsRequestForbiddenError
        '500':
          description: Internal Server Error
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/commonErrorTypeTitleStatusInstance'
servers:
  - url: https://api.getpostman.com
    description: https://api.getpostman.com
  - url: https://api.eu.postman.com
    description: https://api.eu.postman.com
components:
  schemas:
    secretId:
      type: string
      title: secretId
    limit:
      type: integer
      default: 10
      title: limit
    cursor:
      type: string
      title: cursor
    workspaceId:
      type: string
      title: workspaceId
    sinceDateTime:
      type: string
      format: date-time
      title: sinceDateTime
    untilDateTime:
      type: string
      format: date-time
      title: untilDateTime
    resourceType:
      type: string
      enum:
        - collection
        - environment
        - extensible-collection
        - globals
        - example
        - request
        - folder
        - extensible-collection-meta
        - extensible-request
        - extensible-folder
        - extensible-example
        - extensible-message
      title: resourceType
    GetSecretsLocationsDataItems:
      type: object
      properties:
        isResourceDeleted:
          type: boolean
          description: If true, the resource in which the secret was found was deleted.
        leakedBy:
          type: integer
          description: The ID of the user who exposed the secret.
        location:
          type: string
          description: The location where the secret was found.
        occurrences:
          type: integer
          description: The number of times the secret occurs in the location.
        parentResourceId:
          type: string
          format: uid
          description: >-
            The parent resource's unique ID. If the resource is a request,
            folder, or example, this value is a collection ID. If the resource
            is a collection, globals, or environment, this is the resource's ID.
        resourceId:
          type: string
          format: uid
          description: The unique ID of the resource where the secret was detected.
        resourceType:
          type: string
          description: The type of resource in which the secret was detected.
        detectedAt:
          type: string
          format: date-time
          description: The date and time at which the secret was detected.
        url:
          type: string
          description: The URL to the resource that contains the secret.
      description: Information about the secret finding locations.
      title: GetSecretsLocationsDataItems
    GetSecretsLocationsMetaActivityFeedItemsStatus:
      type: string
      enum:
        - FALSE_POSITIVE
        - ACCEPTED_RISK
        - REVOKED
        - ACTIVE
      description: >
        The secret's current resolution status:

        - `ACTIVE` — The secret is active.

        - `FALSE_POSITIVE` — The discovered secret is not an actual secret.

        - `REVOKED` — The secret is valid, but the user rotated their key to
        resolve the issue.

        - `ACCEPTED_RISK` — The Secret Scanner found the secret, but user
        accepts the risk of publishing it.
      title: GetSecretsLocationsMetaActivityFeedItemsStatus
    GetSecretsLocationsMetaActivityFeedItems:
      type: object
      properties:
        resolvedAt:
          type: string
          format: date-time
          description: The date and time at which the resolution status was last updated.
        resolvedBy:
          type: integer
          description: The ID of the user that updated the secret's resolution status.
        status:
          $ref: '#/components/schemas/GetSecretsLocationsMetaActivityFeedItemsStatus'
          description: >
            The secret's current resolution status:

            - `ACTIVE` — The secret is active.

            - `FALSE_POSITIVE` — The discovered secret is not an actual secret.

            - `REVOKED` — The secret is valid, but the user rotated their key to
            resolve the issue.

            - `ACCEPTED_RISK` — The Secret Scanner found the secret, but user
            accepts the risk of publishing it.
      title: GetSecretsLocationsMetaActivityFeedItems
    GetSecretsLocationsMeta:
      type: object
      properties:
        activityFeed:
          type: array
          items:
            $ref: '#/components/schemas/GetSecretsLocationsMetaActivityFeedItems'
          description: The history of the secret's resolution status changes.
        cursor:
          type: string
          description: The pointer to the first record of the set of paginated results.
        limit:
          type: integer
          description: The maximum number of rows to return in the response.
        nextCursor:
          type:
            - string
            - 'null'
          description: >-
            The Base64-encoded value that points to the next record in the
            results set.
        obfuscatedSecret:
          type: string
          description: The secret's obfuscated value.
        secretHash:
          type: string
          description: The secret's SHA-256 hash.
        secretType:
          type: string
          description: The type of thesecret.
        total:
          type: integer
          description: The total number of discovered secret locations.
      title: GetSecretsLocationsMeta
    getSecretsLocations:
      type: object
      properties:
        data:
          type: array
          items:
            $ref: '#/components/schemas/GetSecretsLocationsDataItems'
        meta:
          $ref: '#/components/schemas/GetSecretsLocationsMeta'
      title: getSecretsLocations
    commonErrorTypeTitleStatusInstance:
      type: object
      properties:
        type:
          type: string
          description: The type of error.
        title:
          type: string
          description: A short summary of the problem.
        status:
          type: integer
          description: The HTTP status code generated by the origin server.
        instance:
          type: string
          description: >-
            The URI reference that identifies the specific occurrence of the
            problem.
      title: commonErrorTypeTitleStatusInstance
    CommonErrorTypeTitleDetailStatusType:
      oneOf:
        - type: string
          format: uri-reference
        - type: string
      title: CommonErrorTypeTitleDetailStatusType
    commonErrorTypeTitleDetailStatus:
      type: object
      properties:
        type:
          $ref: '#/components/schemas/CommonErrorTypeTitleDetailStatusType'
        title:
          type: string
          description: A short summary of the problem.
        detail:
          type: string
          description: Information about the error.
        status:
          type: integer
          description: The error's HTTP status code.
      title: commonErrorTypeTitleDetailStatus
    GetDetectedSecretsLocationsRequestForbiddenError:
      oneOf:
        - $ref: '#/components/schemas/commonErrorTypeTitleDetailStatus'
        - $ref: '#/components/schemas/commonErrorTypeTitleStatusInstance'
      title: GetDetectedSecretsLocationsRequestForbiddenError
  securitySchemes:
    PostmanApiKey:
      type: apiKey
      in: header
      name: x-api-key
    scimApiKey:
      type: apiKey
      in: header
      name: Authorization
      description: >-
        A valid [SCIM API
        key](https://learning.postman.com/docs/administration/scim-provisioning/scim-provisioning-overview/#generating-scim-api-key)
        for calls to SCIM endpoints.
    basicAuth:
      type: http
      scheme: basic

```

## Examples



**Response**

```json
{
  "data": [
    {
      "isResourceDeleted": false,
      "leakedBy": 12345678,
      "location": "Headers",
      "occurrences": 1,
      "parentResourceId": "12345678-14728df4-c7af-424f-b665-5047b7d25866",
      "resourceId": "12345678-e0df25e0-d245-40dd-89b5-68720d186d3f",
      "resourceType": "example",
      "detectedAt": "2023-04-25T08:13:48.000Z",
      "url": "https://go.postman.co/build/workspace/80ab14ae-c17d-4fd6-88d5-99bf13f0b7f0/example/12345678-e0df25e0-d245-40dd-89b5-68720d186d3f"
    }
  ],
  "meta": {
    "activityFeed": [
      {
        "resolvedAt": "2023-04-25T11:18:07.000Z",
        "resolvedBy": 12345678,
        "status": "ACTIVE"
      }
    ],
    "cursor": "MTIyNjY5Nw==",
    "limit": 2,
    "nextCursor": null,
    "obfuscatedSecret": "PMAK-644781584627df042afa6655-******ba",
    "secretHash": "0096b35ef6621d7571f106fefee5b10e8ed360cc9bf04f343f267ca4ff65bb5d",
    "secretType": "Postman API Key",
    "total": 3
  }
}
```

**SDK Code**

```python Successful Response
import requests

url = "https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations"

querystring = {"workspaceId":"1f0df51a-8658-4ee8-a2a1-d2567dfa09a9"}

headers = {"x-api-key": "<apiKey>"}

response = requests.get(url, headers=headers, params=querystring)

print(response.json())
```

```javascript Successful Response
const url = 'https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9';
const options = {method: 'GET', headers: {'x-api-key': '<apiKey>'}};

try {
  const response = await fetch(url, options);
  const data = await response.json();
  console.log(data);
} catch (error) {
  console.error(error);
}
```

```go Successful Response
package main

import (
	"fmt"
	"net/http"
	"io"
)

func main() {

	url := "https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9"

	req, _ := http.NewRequest("GET", url, nil)

	req.Header.Add("x-api-key", "<apiKey>")

	res, _ := http.DefaultClient.Do(req)

	defer res.Body.Close()
	body, _ := io.ReadAll(res.Body)

	fmt.Println(res)
	fmt.Println(string(body))

}
```

```ruby Successful Response
require 'uri'
require 'net/http'

url = URI("https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9")

http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true

request = Net::HTTP::Get.new(url)
request["x-api-key"] = '<apiKey>'

response = http.request(request)
puts response.read_body
```

```java Successful Response
import com.mashape.unirest.http.HttpResponse;
import com.mashape.unirest.http.Unirest;

HttpResponse<String> response = Unirest.get("https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9")
  .header("x-api-key", "<apiKey>")
  .asString();
```

```php Successful Response
<?php
require_once('vendor/autoload.php');

$client = new \GuzzleHttp\Client();

$response = $client->request('GET', 'https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9', [
  'headers' => [
    'x-api-key' => '<apiKey>',
  ],
]);

echo $response->getBody();
```

```csharp Successful Response
using RestSharp;

var client = new RestClient("https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9");
var request = new RestRequest(Method.GET);
request.AddHeader("x-api-key", "<apiKey>");
IRestResponse response = client.Execute(request);
```

```swift Successful Response
import Foundation

let headers = ["x-api-key": "<apiKey>"]

let request = NSMutableURLRequest(url: NSURL(string: "https://api.getpostman.com/detected-secrets/MTc0ODA0Mw%3D%3D/locations?workspaceId=1f0df51a-8658-4ee8-a2a1-d2567dfa09a9")! as URL,
                                        cachePolicy: .useProtocolCachePolicy,
                                    timeoutInterval: 10.0)
request.httpMethod = "GET"
request.allHTTPHeaderFields = headers

let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
  if (error != nil) {
    print(error as Any)
  } else {
    let httpResponse = response as? HTTPURLResponse
    print(httpResponse)
  }
})

dataTask.resume()
```