How the Secret Scanner works

With Secret Scanner, you can detect and protect sensitive information, like API keys and tokens, across your Postman workflows. It helps reduce the risk of secret exposure by securing secrets before they’re shared, detecting exposed secrets in the Postman cloud, and notifying you when Postman API keys are exposed in supported external repositories.

Local Secret Protection

Local Secret Protection proactively detects sensitive information, such as API keys, tokens, and passwords, in your Postman elements before it can be saved to the Postman cloud, local files, or connected Git repositories. When you save changes, Local Secret Protection scans for exposed secrets and prompts users or applies organization policies to determine how those secrets are handled.

Detection includes default secret patterns for secrets issued by common service providers. On Enterprise plans with the Advanced Security Administration add-on, you can also use custom patterns to detect secrets specific to your organization.

What happens when a secret is detected

When Local Secret Protection detects a secret, Postman prompts you to choose how to handle it before saving.

You can choose any of the following options:

• Store the secret in your Postman Local Vault.
• (Paid plans only) Store detected secrets in the workspace’s Postman Shared Vault.
• Ignore the detected secret and store it in plain text.
• Remove the secret before saving.

For Enterprise plans, Team Admins can enable Local Secret Protection and define workspace-level policies that control how detected secrets are handled. By default, Postman prompts users to choose how to handle detected secrets. Depending on the configured policy, users can also automatically move secrets to a local or shared vault, or users can be required to provide a justification when overriding a detected secret.

To learn more about configuring policies on an Enterprise plan, see Manage Local Secret Protection policies.

How secrets are secured

If you choose to store an exposed secret in Postman Vault, the value is replaced with a secure collection variable. The variable references the vault secret instead of storing the actual value. This way, your secrets are securely stored in Postman Vault and aren’t exposed in your workspace. This also gives you greater control over your team’s security posture and compliance requirements.

Cloud Secret Detection

With Cloud Secret Detection, secrets are detected in Postman elements stored in the Postman cloud. Public workspaces are scanned by default. You can also scan internal workspaces and Partner Workspaces on Postman Enterprise plans with the Advanced Security Administration add-on.

By default, scanning is based on default secret patterns in the following elements:

• HTTP and multi-protocol collections, including requests and responses.
• The shared values of variables.
• Published documentation.

Custom patterns for proprietary or third-party tokens are supported on Postman Enterprise plans with the Advanced Security Administration add-on.

What happens when a secret is detected

When exposed secrets are detected, Team and Workspace Admins are notified by email, Slack (if configured), and in-app notifications.

On Enterprise plans, Team Admins can view and take action on detected secrets in the Secret Scanner dashboard.

Make sure to revoke any secrets that have been exposed and replace them with new secrets. Postman recommends securing secrets in your Postman Local Vault or your workspace’s Postman Shared Vault. Learn more about storing secrets in Postman Vault.

How secrets are handled in public workspaces

If exposed secrets are detected in public workspaces, Postman automatically replaces each secret with a placeholder. Admins and Workspace Admins are notified when secrets are detected and replaced.

Exposed secrets are replaced as follows:

• For HTTP collections and requests, secrets are replaced with a variable based on the detected key or token in lowercase, such as {{authorization-secret}}.
• For all other Postman elements, secrets are replaced with the detected key or token in uppercase with angle brackets around the text, such as <AUTHORIZATION_SECRET>.

Secrets exposed in multi-protocol collections aren’t automatically replaced with placeholders. Secrets detected in multi-protocol collections must be removed or manually replaced with placeholders. Note that vault secrets aren’t supported in multi-protocol collections.

Postman recommends storing secrets in your local vault or shared vault to keep them secure and avoid exposure. Learn more about storing secrets in Postman Vault.

Protect secrets in external repositories

Postman helps protect your Postman API keys even when they’re exposed outside of Postman, such as in public code repositories. If a valid Postman API key is detected in a supported external service, Postman notifies you so you can take action quickly.

Protect Postman API keys in GitHub

Postman also works with GitHub to ensure that your Postman API keys are secure for free and paid Postman plans. If you commit a valid Postman API key to a public GitHub repository, Postman notifies you by email and in-app notification. You can also set up Postman’s integration for Slack to alert you in Slack if this occurs.

It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.

Protect Postman API keys in GitLab

Postman works with GitLab to protect your Postman API keys in GitLab public repositories for free and paid Postman plans. If you commit a valid Postman API key to a public GitLab repository, Postman notifies you by email and in-app notification.

It’s recommended you delete the exposed API key in your API keys dashboard. You can then generate a new API key to continue working with the Postman API.