How the Secret Scanner works

The Secret Scanner scans public workspaces and published documentation to detect exposed secrets on all Postman plans. Secret Scanner is turned on by default for public workspaces with all Postman plans and scans for:

Postman automatically replaces exposed secrets with placeholders if the Secret Scanner detects exposed supported secrets in your public workspaces. Team Admins and Workspace Admins are notified by email, Slack (if configured), and in-app notification if exposed secrets are automatically replaced.

Postman recommends using a vault secret as a placeholder for a real secret because each user can only access and use their own vault secrets. Vault secrets aren't synced to the Postman cloud. You can also use a variable as a placeholder if you'd like.

With Postman's Enterprise plan, you gain access to the Secret Scanner dashboard, where you can view scan results. With the Advanced Security Administration add-on, you get access to scan all workspace types, in addition to greater support for secrets in your Postman elements.

Automatically replace secrets detected in public workspaces

If the Secret Scanner detects exposed supported secrets in your public workspaces, Postman automatically replaces each secret with a placeholder. Postman notifies Team Admins and Workspace Admins by email and in-app notification that the secrets were detected and replaced with placeholders.

If the Secret Scanner detects exposed secrets in your public workspaces during its regular scans, Postman notifies Team Admins and Workspace Admins. They'll receive notice by email, in-app notification, and workspace settings with a link to view the Secret Scanner results. There, Admins can review and automatically replace all exposed secrets in your public workspace. If secrets aren't replaced by the date specified in the notifications, Postman automatically replaces each secret with a placeholder.

Exposed secrets are automatically replaced with placeholders as follows:

  • For HTTP collections and requests, secrets are replaced with a reference to a vault secret based on the detected key or token in lowercase, such as {{vault:authorization-secret}}.
  • For all other Postman elements, secrets are replaced with the detected key or token in uppercase with angle brackets around the text, such as <AUTHORIZATION_SECRET>.

Secrets exposed in multi-protocol collections aren't automatically replaced with placeholders. Secrets detected in multi-protocol collections must be removed or manually replaced with placeholders. Note that vault secrets aren't supported in multi-protocol collections.

It's important that you also revoke exposed secrets the Secret Scanner detects.

To replace secrets detected during the Secret Scanner's regular scans, do the following:

  1. In the email, in-app notification, or workspace settings, click View Exposed Secrets to open the Secret Scanner results in Postman.

  2. In the results, review the details for each exposed secret:

    • Element name and location - The name and location of the element that contains the exposed secret. Click this to open the exposed secret in a new tab.
    • Element type - The type of element that contains the exposed secret.
    • Secret value - The exposed secret's masked value.
    • Secret name - The exposed secret's authorization type.

  3. Select Replace All Now to replace all exposed secrets in your public workspace with a placeholder. The syntax of the placeholder is based on the detected key or token and the Postman element it was found in.

    Replace all secrets with placeholders

    You can also remove or replace each secret one at a time. Select the element name and location for each exposed secret to open it in a new tab. Remove each exposed secret, or replace each value with a placeholder that's relevant to your API.

Advanced Security Administration add-on

For Enterprise plans with the Advanced Security Admin add-on, Secret Scanner scans all public workspaces, internal workspaces, and Partner Workspaces and delivers its results to the Secret Scanner dashboard. It also scans for exposed secrets in all HTTP and multi-protocol collections. It also scans API specifications in the Postman API Builder.

For Partner Workspaces, the Secret Scanner also scans the initial values of environment and global variables.

Protect Postman API keys in GitHub

Postman also works with GitHub to ensure that your Postman API keys are secure for free and paid Postman plans. If you commit a valid Postman API key to a public GitHub repository, Postman notifies you by email and in-app notification. You can also set up Postman's integration for Slack to alert you in Slack if this occurs.

It's recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.

Protect Postman API keys in GitLab

This feature is available with GitLab Ultimate plans.

Postman works with GitLab to protect your Postman API keys in GitLab public repositories for free and paid Postman plans. If you commit a valid Postman API key to a public GitLab repository, Postman notifies you by email and in-app notification.

It's recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.

Last modified: 2025/08/13

Postmanaut Cooper jumping over crystal ball. Illustration.

Additional resources

Explore ready-to-use Collection Templates, build API-first workflows with Postman Flows, and more!

Collection Templates

Integration testing
REST API basics
API documentation
Authorization methods

Flows Templates

Add HubSpot contacts to Mailchimp lists
Create Airtable records from new deals in HubSpot
Create or update HubSpot contacts from customers on Stripe
Search Zendesk for tickets with Tag using Create with AI

Popular videos

Postman Flows: Build API Applications Visually
Streamline LLM Integration with Postman's AI Protocol
API Basics: What is an API and How Does It Work?