Security for Postman teams

Postman's advanced administration features for teams include single sign-on support, audit logs, role-based access control (RBAC), configurable API encryption, and a token scanner that searches for exposed sensitive information.

You can use Postman's RBAC system to manage your team's resource visibility, define the development workflow, and provide administrative and billing personnel access. Using Postman's features also enables you to identify exposed proprietary and third-party tokens. Furthermore, you can manage your team's public resources to secure your data.

A Team Admin can define security configurations at the team level.

Single sign-On

Postman supports single sign-on (SSO) for Enterprise teams using the SAML 2.0 standard and most identity providers, including Okta, OneLogin, and Duo. Postman recommends setting up SSO for your Postman team to get a seamless sign-in experience. Implementing SSO will also enforce team multi-factor authentication and help your organization meet regulatory compliance requirements.

Domain capture

Use domain capture to manage all the Postman accounts that you created with your organization’s domains or subdomains. You can also consolidate all Postman users in your organization into a single team. In addition, you can enable System for Cross-domain Identity Management (SCIM) provisioning and auto-flex, a flexible billing feature. Doing so can ease the process of onboarding new Postman team users when domain capture is enabled.

User provisioning

Postman supports SCIM, which allows you to automate user provisioning and deprovisioning for your team. With SCIM enabled, you can deploy Postman to your organization and control who can access it using your identity provider.

User groups

Leverage user groups to organize your team members into functional groups that mimic your organizational structure. You can also assign specific roles to these groups and enable access to particular resources for all the members. Postman recommends using user groups to manage access control while seamlessly onboarding new Postman team members.

Token scanning with custom alerts

Your data security is Postman's priority. The Postman Secret Scanner searches for leaked sensitive tokens on public elements such as collections, environments, and documentation. Then, it sends an alert when a leak is detected.

Postman supports an extensive list of tokens, but the Secret Scanner isn’t limited to them. Admins can add their proprietary and third-party tokens by defining custom tokens alerts. Postman will scan these tokens in their team’s context and provide alerts for any exposure.

Public element management

The Manage public elements dashboard gives you a central place to control collections and environments shared outside your team for public consumption.

You'll need a Community Manager role in Enterprise teams to view and manage everything made public by your team. These include collections links, documentation, and workspaces. You can also turn off the creation of new JSON links for collections.

Audit logs

Audit logs track Postman account changes related to user management, team management, billing, and security. Postman recommends regularly reviewing your Postman team’s audit log data for potential security issues.

Audit log API

Your Postman team’s audit logs are also available with the Postman API. You can integrate a Security Information and Event Management (SIEM) tool of your choice with this API to set up a threat intelligence system.

BYOK encryption

BYOK Encryption is available on Postman Enterprise plans with the Advanced Security Administration add-on.

With Bring Your Own Key (BYOK) Encryption, your team's sensitive data is encrypted and decrypted with your own customer managed key stored in Amazon Key Management Service (KMS). BYOK offers your team seamless collaboration on sensitive data while adhering to your organization's security and compliance policies.

BYOK supports encryption for data synced to the Postman cloud in your team's environments, globals, and request history. Other Postman elements synced to the Postman cloud aren't encrypted with BYOK, such as workspaces and collections.

As a Team Admin, work with your Customer Success Manager to set up and configure BYOK in your team. To learn more about BYOK Encryption, please contact your Postman Customer Success Manager or Postman support.

Last modified: 2025/06/13

Postmanaut Cooper jumping over crystal ball. Illustration.

Additional resources

Explore ready-to-use Collection Templates, build API-first workflows with Postman Flows, and more!

Collection Templates

Integration testing
REST API basics
API documentation
Authorization methods

Flows Templates

Add HubSpot contacts to Mailchimp lists
Create Airtable records from new deals in HubSpot
Create or update HubSpot contacts from customers on Stripe
Search Zendesk for tickets with Tag using Create with AI

Popular videos

Postman Flows: Build API Applications Visually
Streamline LLM Integration with Postman's AI Protocol
API Basics: What is an API and How Does It Work?