The Secret Scanner scans public workspaces and published documentation to detect exposed secrets on all Postman plans. Secret Scanner is turned on by default for public workspaces with all Postman plans and scans for:
Postman automatically replaces exposed secrets with placeholders if the Secret Scanner detects exposed supported secrets in your public workspaces. Team Admins and Workspace Admins are notified by email, Slack (if configured), and in-app notification if exposed secrets are automatically replaced.
Postman recommends using a vault secret as a placeholder for a real secret because each user can only access and use their own vault secrets. Vault secrets aren’t synced to the Postman cloud. You can also use a variable as a placeholder if you’d like.
With Postman’s Enterprise plan, you gain access to the Secret Scanner dashboard, where you can view scan results. With the Advanced Security Administration add-on, you get access to scan all workspace types, in addition to greater support for secrets in your Postman elements.
If the Secret Scanner detects exposed supported secrets in your public workspaces, Postman automatically replaces each secret with a placeholder. Postman notifies Team Admins and Workspace Admins by email and in-app notification that the secrets were detected and replaced with placeholders.
Exposed secrets are automatically replaced with placeholders as follows:
{{vault:authorization-secret}}
.<AUTHORIZATION_SECRET>
.Secrets exposed in multi-protocol collections aren’t automatically replaced with placeholders. Secrets detected in multi-protocol collections must be removed or manually replaced with placeholders. Note that vault secrets aren’t supported in multi-protocol collections.
It’s important that you also revoke exposed secrets the Secret Scanner detects.
For Enterprise plans with the Advanced Security Admin add-on, Secret Scanner scans all public workspaces, internal workspaces, and Partner Workspaces and delivers its results to the Secret Scanner dashboard. It also scans for exposed secrets in all HTTP and multi-protocol collections. It also scans API specifications in the Postman API Builder.
For Partner Workspaces, the Secret Scanner also scans the shared values of environment and global variables.
Postman also works with GitHub to ensure that your Postman API keys are secure for free and paid Postman plans. If you commit a valid Postman API key to a public GitHub repository, Postman notifies you by email and in-app notification. You can also set up Postman’s integration for Slack to alert you in Slack if this occurs.
It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.
This feature is available with GitLab Ultimate plans.
Postman works with GitLab to protect your Postman API keys in GitLab public repositories for free and paid Postman plans. If you commit a valid Postman API key to a public GitLab repository, Postman notifies you by email and in-app notification.
It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.
Last modified: 2025/09/23