As a developer creating APIs, you can secure your work in Postman using variables, leveraging 2FA, protecting your Postman API key, limiting your workspace visibility, and storing your secrets in Postman Vault.
Postman enables you to store and reuse values in your collections, requests, and scripts as variables. The variables give access to different scopes (global, collection, and environment) to support your use cases and workflows. You can also leverage local scope variables to prevent data synchronization to Postman’s servers.
Postman environment variables are encrypted on the server before storage using AES-256-GCM (Advanced Encryption Standard - 256-bit key - Galois/Counter Mode). You also can use a sensitive data type that’s only available in environment variables. Using it masks the value of these secret variables, helping you avoid unintentionally sharing sensitive tokens, for example, during screen sharing or live streaming. Postman recommends securing variables with Postman Vault when storing sensitive data such as API keys, access tokens, or passwords.
Enable 2FA for your Postman account to add an extra layer of security when you sign in using a password. Using 2FA can reduce the potential risk of an attacker compromising your account if they know your password. You can enable the feature in your account settings or see Manage your Postman account settings for a step-by-step guide.
Postman sends an alert when you accidentally commit a Postman API key to a public GitHub repository. This capability is key to responding before any unauthorized access to your Postman data. If you receive an email or in-app notification about a leaked Postman API key in GitHub, Postman recommends that you delete the leaked API key immediately.
As a Postman API developer, you can configure your API encryption using the following options:
Workspaces help you organize your work and collaborate with others on your APIs. They serve as a single source of truth for collections, environments, mocks, monitors, and other linked entities.
Private workspaces allow teams to restrict access or visibility to collections, environments, mocks, and monitors to only a particular group.
Postman Vault enables you to store sensitive data as vault secrets in your local instance of Postman. Vault secrets are sensitive data, such as API keys and passwords, that you store in your Postman Vault and reuse in your local instance of Postman.
Only you can access and reuse values associated with your vault secrets, and they aren’t synced to the Postman Cloud.
Your vault secrets are encrypted using AES-256-GCM.
Postman supports integrations with 1Password, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.