Manage API keys
Postman API key management is available with Postman Enterprise plans.
The Postman API enables you to integrate Postman into your development toolchain, but requires API keys to do so. Team Admins can manage the Postman API keys your team creates at scale, ensuring you maintain compliance and security across your organization. Teams can control the creation of API keys, their expiration dates, and revoke keys when needed.
You must be a Team Admin or Super Admin to use the Postman API key management dashboard.
SCIM (System for Cross-domain Identity Management) API keys can be managed in Team Settings.
Managing Postman API keys
To open the Postman API key management dashboard, click Team > Manage Postman Keys in the Postman header.
The dashboard lists all of the Postman API keys created by your team. To filter the list by enabled, disabled, or revoked keys, select or clear the checkboxes next to View.
You can review the key’s creator, date of creation, expiration date, and when it was last used. You can also search by key value to locate a specific key, filter by user by selecting them in the Created by dropdown list, and sort by newest, oldest, and recently used.
Tags next to the API key’s name specify when it’s disabled or revoked. You can hover over a revoked tag to see if a Team Admin revoked it, if it was due to inactivity past its expiration date, or automatically revoked. Revoked API keys also display their revocation date under its creation date.
Exposed API keys
If the Postman Secret Scanner detects exposed Postman API keys in public Postman workspaces, public Postman documentation, or GitHub and GitLab repositories, they appear in the Exposed API keys section. This section provides details about the exposed key, such as the exposure detection date, the last time used, and location.
You can manage how Postman automatically handles exposed API keys in the API key settings section of the Postman API key management dashboard.
Revoking API keys
You can revoke an API key in the Postman API key management dashboard by hovering over it and clicking Revoke. To revoke multiple API keys at once, select the checkboxes next to each key, then click Revoke above the list.
Postman notifies users by email when their API keys are revoked. For exposed keys, revoking also resolves the Secret Scanner finding in the Secret Scanner dashboard.
API key settings
You can manage your team’s API key settings and permissions by clicking API Key Settings in the Postman API key management dashboard.
Key generation and expiration
By default, anyone in your team can generate Postman API keys. You can turn off the Allow anyone in your team to generate API keys setting to prevent users from creating new Postman API keys.
You can specify the expiration settings for all API keys that your team creates with the Set expiry for API keys setting. This overrides any expirations already set by users. It also applies to any Postman API keys your team creates in the future.
Revoking
The Auto revoke exposed Postman API keys setting enables Postman to automatically revoke any publicly exposed API keys found in publicly available Postman resources, GitHub repositories, and GitLab repositories. When the Postman Secret Scanner detects exposed keys in public GitHub or GitLab repositories or public Postman resources, it revokes the key and notifies the key’s owner by email.
If there are any exposed API keys present when you enable this setting, a warning appears.
You can choose to revoke or ignore the exposed keys when you enable this setting. Any publicly exposed keys detected by the Secret Scanner after you enable this setting will be automatically revoked.
If you need to revoke all of the Postman API keys generated by your team, click Revoke All. Postman notifies users by email when their API keys are revoked.
Last modified: 2025/08/29
