Configure API Governance rules in Postman

Configurable governance rules are available on Postman Enterprise plans with the API Builder add-on. If you don't have an Enterprise account, you'll be able to see the API Governance page, but you won't be able to add new rules.

You can customize the API Governance rules that Postman applies to your API definitions. Adhering to these API Governance rules at the start of the API lifecycle keeps your API consistent without requiring extra work at later stages. This can prevent unnecessary delays for your organization.

Super Admins and API Governance Managers can configure rules and turn them on and off for workspaces within your team. See Define roles and permissions within a Postman team for more information.

From the API Security tab, you can manage request-level security rules by turning them on and off as needed. To define and customize definition-level security rules, use the API Governance tab, where you can edit, turn on, or turn off these rules.

API governance dashboard

To access the configurable API Governance rules, do the following:

  1. Go to the Postman home screen.
  2. Select API Governance from the team information pane.

Add custom rules for API definitions

You can create new custom rules that Postman can use to evaluate your API's definition. Postman provides you with a boilerplate rule to help you start writing your custom rules. You can also use snippets of commonly used property-value pairs to help you write your custom rules.

To add a custom rule, do the following:

  1. Go to the Postman home screen, and then select API Governance from the team information pane.

  2. Select Create Rule.

  3. Define the rule in the editor. It must adhere to custom rule guidelines.

    You can use a curated list of commonly used property-value pair snippets to write your rules. Snippets are available in the right pane of the editor. Selecting a snippet adds the property-value pair automatically to your rule, helping you get started with writing rules. Once added to your rule, you can edit the snippets to meet your specific requirements.

    Postman will prompt you with suggestions as you enter text. Select one to autocomplete your rule.

  4. The rule must be valid YAML or JSON. Use the dropdown list to choose the correct syntax.

  5. Select Create.

    Create a custom API Security rule

  6. Find your new rule under Custom Rules and turn it on.

You can also select Upload file(s) to upload a new rule in valid YAML or JSON format.

You can't create a custom rule that duplicates an existing rule.

To delete a custom rule, select Delete icon Remove next to its name. If you delete a custom rule, and you want to add it back into Postman, you must select Create Rule to create the rule again.

You can write and add custom functions to your custom governance rules. For more information, see Adding custom governance functions.

Add rules to your API Governance configuration

In addition to the rules turned on by default in Postman, you can add other rules to your team's rule library from the rule library. You can also create your own custom rules.

Import rules from the rule library

The rule library has Postman's API governance guidelines, Zalando's RESTful API and event guidelines, and Postman's OWASP API guidelines.

  1. Select the Rule Library tab, and then select the Rules tab.

  2. Select Import to open the rule library.

  3. Select Import next to a rule to import it. Details and API format requirements are available under the rule name.

    You can select View all below a set of guidelines to view all of its rules. To import all rules for a particular set of guidelines, select Import All.

    Import API Governance rule from Postman library

  4. Once you import new rules from the library, add the rules to a workspace group to turn them on for the workspaces in the group.

Turn configured rules on and off

You can turn individual governance rules on or off for various workspaces to meet your team's development needs. To do so, select the Workspace Groups tab. You can create a new group of workspaces to apply individual governance rules to by selecting Create Group, or you can select an existing group to update its governance configuration. To apply individual governance rules to all workspaces, select the default All workspaces group.

To turn a governance rule on or off for a workspace group, select an existing group, and then select Edit. To turn a governance rule on, select the checkbox next to the rule name. To turn a governance rule off, clear the checkbox next to the rule name.

Turn individual rules on and off

Once you've made the desired changes, select Review Changes, then Apply Changes to save them. Your team will only see violations in your API's definition for the governance rules that have been explicitly applied to the workspace it resides in.

Edit configured rules

You can edit custom governance rules you created earlier.

  1. Select the Rule Library tab, and then select the Rules tab.

  2. Under Created by your team, select the name of the custom rule you'd like to edit.

    Create a custom API Governance rule

  3. Edit the custom rule, and then select Save.

Remove rules from your API Governance configuration

To remove an API Governance rule, locate the rule in your team's rule library and select Delete icon Remove next to its name. You can later choose to re-import it from the rule library.

If you remove a custom rule, you'll need to add it back into Postman using Create Rule if you want to use it again.

Last modified: 2024/12/09

Additional resources

Videos

API Security and Governance Part 1: Automating Governance
API Security and Governance Part 2: Customizing Governance with Spectral Rulesets
Set Up Enterprise-Wide API Governance with .NET Core + Spectral | Postman Enterprise

Blog posts

Big improvements to Postman API Governance
Postmanaut dancing. Illustration.