Security for Postman developers

As a developer creating APIs, you can secure your work in Postman using variables, leveraging 2FA, protecting your Postman API key, limiting your workspace visibility, and storing your secrets in Postman Vault.

Variables

Postman enables you to store and reuse values in your collections, requests, and scripts as variables. The variables give access to different scopes (global, collection, and environment) to support your use cases and workflows. You can also leverage local scope variables to prevent data synchronization to Postman's servers.

Postman environment variables are encrypted on the server before storage using AES-256-GCM (Advanced Encryption Standard - 256-bit key - Galois/Counter Mode). You also can use a secret data type that's only available in environment variables. Using it masks the value of these secret variables, helping you avoid unintentionally sharing sensitive tokens, for example, to an unintended audience during screen sharing or live streaming. Postman recommends securing variables with Postman Vault when storing sensitive data such as API keys, access tokens, or passwords.

Two-factor authentication (2FA)

Enable 2FA for your Postman account to add an extra layer of security when you sign in using a password. Using 2FA can reduce the potential risk of an attacker compromising your account if they know your password. You can enable the feature in your account settings or see Manage your Postman account settings for a step-by-step guide.

Protect your Postman API key in GitHub

Postman sends an alert when you accidentally commit a Postman API key to a public GitHub repository. This capability is key to responding before any unauthorized access to your Postman data. If you receive an email or in-app notification about a leaked Postman API key in GitHub, Postman recommends that you delete the leaked API key immediately.

API encryption configuration

As a Postman API developer, you can configure your API encryption using the following options:

  • Using server cipher suite during handshake.
  • Disabling protocols during handshake.
  • Selecting a custom cipher suite.
  • Using client SSL certificates

Workspaces

Workspaces help you organize your work and collaborate with others on your APIs. They serve as a single source of truth for collections, environments, mocks, monitors, and other linked entities.

Private workspaces allow teams to restrict access or visibility to collections, environments, mocks, and monitors to only a particular group.

Postman Vault

Postman Vault enables you to store sensitive data as vault secrets in your local instance of Postman. Vault secrets are sensitive data, such as API keys and passwords, that you store in your Postman Vault and reuse in your local instance of Postman.

Only you can access and reuse values associated with your vault secrets, and they aren't synced to the Postman Cloud.

Your vault secrets are encrypted using AES-256-GCM.

You can also use Guided Auth to add vault secrets that have authentication credentials for public APIs. Reference vault secrets added using Guided Auth in your HTTP requests, and reuse your authentication credentials in new HTTP requests to the same public APIs.

Postman supports integrations with 1Password, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.

Last modified: 2025/06/13

Postmanaut Cooper jumping over crystal ball. Illustration.

Additional resources

Explore ready-to-use Collection Templates, build API-first workflows with Postman Flows, and more!

Collection Templates

Integration testing
REST API basics
API documentation
Authorization methods

Flows Templates

Add HubSpot contacts to Mailchimp lists
Create Airtable records from new deals in HubSpot
Create or update HubSpot contacts from customers on Stripe
Search Zendesk for tickets with Tag using Create with AI

Popular videos

Postman Flows: Build API Applications Visually
Streamline LLM Integration with Postman's AI Protocol
API Basics: What is an API and How Does It Work?