Administer PostmanTeam managementSecret Scanner

Postman Secret Scanner

View as Markdown

With Postman Secret Scanner, you can detect and protect sensitive information, like API keys and tokens, across your Postman elements. It works across both local workflows and resources stored in the Postman cloud to reduce the risk of accidental exposure and unauthorized access.

Secret Scanner includes capabilities to identify exposed secrets, prevent them from being stored or shared insecurely, and help your team manage and respond to potential risks. It scans Postman elements like collections, environments, and published documentation, and provides tools to secure detected secrets using Postman Vault.

For Enterprise teams, Secret Scanner also offers centralized visibility and control through the Secret Scanner dashboard, along with advanced features like workspace-level policies and custom detection patterns.

About Secret Scanner

Postman Secret Scanner helps you identify and protect sensitive information across your Postman elements. The following features work together to help you both detect and prevent secret exposure:

  • Local Secret Protection — Detects exposed secrets across elements before they leave your network and sync to the Postman cloud. It scans all workspace types, including connected Git projects. Store detected secrets securely in Postman Vault, store them in plaintext, or remove them. Learn how Local Secret Protection secures secrets.
  • Cloud Secret Detection — Detects exposed secrets across elements synced to the Postman cloud, and notifies you of any findings. It scans public workspaces by default. You can extend scans to internal workspaces and Partner Workspaces on Postman Enterprise plans with the Advanced Security Administration add-on. Learn how Cloud Secret Detection secures secrets.

Secret Scanner dashboard

On Enterprise plans, Team and Super Admins can use the Secret Scanner dashboard to manage how secrets are detected, handled, and analyzed across your organization. For Local Secret Protection, you can set workspace-level policies for how detected secrets are handled. For Cloud Secret Detection, you can view and manage detected secrets across your team’s workspaces.

Learn more about the Secret Scanner dashboard.

Customize secret detection

Use custom patterns in the dashboard to detect secrets specific to your organization, such as proprietary tokens. Custom patterns are available on Enterprise plans with the Advanced Security Administration add-on.

Learn how to use custom patterns.

View reports and insights

Use Secret Scanner reports to understand how secrets are detected and managed across your organization. Reports include metrics for both Local Secret Protection and Cloud Secret Detection. Secret Scanner reports are available on Postman Enterprise plans with the Advanced Security Administration add-on.

Learn more about Secret Scanner reports.

Manage findings with the Postman API

The Secret Scanner Postman API endpoints are available with the Postman Enterprise plan with the Advanced Security Administration add-on. For more information, see the pricing page.

Admins, Super Admins, and Workspace Admins can access Secret Scanner findings through the Postman API. Using the Postman API enables you to create custom automated workflows to retrieve and resolve identified secrets. To learn more, see the Postman API documentation.