***

title: Security for Postman developers
updated: 2025-06-13T00:00:00.000Z
max-toc-depth: 2
----------------

As a developer creating APIs, you can secure your work in Postman using variables, leveraging 2FA, protecting your Postman API key, limiting your workspace visibility, and storing your secrets in Postman Vault.

## Variables

Postman enables you to store and reuse values in your collections, requests, and scripts as [variables](/docs/sending-requests/variables/variables-intro/). The variables give access to different scopes (global, collection, and environment) to support your use cases and workflows. You can also leverage local scope variables to prevent data synchronization to Postman's servers.

Postman [environment variables](/docs/sending-requests/variables/managing-environments/) are encrypted on the server before storage using AES-256-GCM (Advanced Encryption Standard - 256-bit key - Galois/Counter Mode). You also can use a [sensitive data type](/docs/sending-requests/variables/variables/#set-a-value-as-sensitive-data) that's only available in environment variables. Using it masks the value of these secret variables, helping you avoid unintentionally sharing sensitive tokens, for example, during screen sharing or live streaming. Postman recommends securing variables with [Postman Vault](/docs/sending-requests/postman-vault/postman-vault-secrets/) when storing sensitive data such as API keys, access tokens, or passwords.

## Two-factor authentication (2FA)

Enable 2FA for your Postman account to add an extra layer of security when you sign in using a password. Using 2FA can reduce the potential risk of an attacker compromising your account if they know your password. You can enable the feature in your [account settings](https://go.postman.co/settings/me/account/) or see [Manage your Postman account settings](/docs/getting-started/account/settings/) for a step-by-step guide.

## Protect your Postman API key in GitHub

Postman [sends an alert](/docs/administration/managing-your-team/secret-scanner/how-secret-scanner-works/#protect-postman-api-keys-in-github) when you accidentally commit a Postman API key to a public GitHub repository. This capability is key to responding before any unauthorized access to your Postman data. If you receive an email or in-app notification about a leaked Postman API key in GitHub, Postman recommends that you delete the leaked API key immediately.

## API encryption configuration

As a Postman API developer, you can configure your API encryption using the following options:

* Using server cipher suite during handshake.
* Disabling protocols during handshake.
* Selecting a custom cipher suite.
* Using [client SSL certificates](/docs/sending-requests/authorization/certificates/)

## Workspaces

[Workspaces](/docs/collaborating-in-postman/using-workspaces/overview/) help you organize your work and collaborate with others on your APIs. They serve as a single source of truth for collections, environments, mocks, monitors, and other linked entities.

Private workspaces allow teams to [restrict access or visibility](/docs/collaborating-in-postman/using-workspaces/internal-workspaces/manage-workspaces/#change-workspace-visibility) to collections, environments, mocks, and monitors to only a particular group.

## Postman Vault

[Postman Vault](/docs/sending-requests/postman-vault/postman-vault-secrets/) enables you to store sensitive data as vault secrets in your local instance of Postman. Vault secrets are sensitive data, such as API keys and passwords, that you store in your Postman Vault and reuse in your local instance of Postman.

Only you can access and reuse values associated with your vault secrets, and they aren't synced to the Postman Cloud.

Your vault secrets are encrypted using AES-256-GCM.

You can also [use Guided Auth to add vault secrets](/docs/sending-requests/postman-vault/manage-vault-secrets-using-guided-auth/#add-authorization-as-vault-secrets-using-guided-auth) that have authentication credentials for public APIs. [Reference vault secrets added using Guided Auth](/docs/sending-requests/postman-vault/manage-vault-secrets-using-guided-auth/#use-vault-secrets-added-using-guided-auth) in your HTTP requests, and reuse your authentication credentials in new HTTP requests to the same public APIs.

Postman supports [integrations](/docs/sending-requests/postman-vault/postman-vault-integrations/) with 1Password, AWS Secrets Manager, Azure Key Vault, and HashiCorp Vault.