Configure API Security rules in Postman

Configurable security rules are available on Postman Enterprise plans with the API Builder add-on. If you don't have an Enterprise account, you'll be able to see the API Security page, but you won't be able to turn rules on or off, or add new rules.

You can customize the API Security rules that Postman applies to your API definition and requests. Following these API Security rules enables you to keep your API secure and consistent. Learn about viewing security rule violations in API definitions and security warnings in requests.

Team Admins with a Developer role can configure security rules and turn them on and off for your team.

API Security configuration page

Configure rules for API definitions

Postman applies security rules to your API definition and shows rule violations that might impact your definition's security posture. Learn about viewing security rule violations in API definitions.

In addition to the rules turned on by default in Postman, you can create and apply your own custom rules to API definitions.

To access the configuration page for API definitions, do the following:

  1. Go to the Postman home screen.
  2. Select API Security from the team information pane.
  3. Make sure that API Definitions is selected.
  4. Turn security rules on or off for your team.

Add custom rules for API definitions

You can create new custom security rules that Postman can use to evaluate your API's definition. Postman provides you with a boilerplate rule to help you start writing your custom security rules. You can also use snippets of commonly used property-value pairs to help you write your custom security rules.

To add a custom rule, do the following:

  1. Go to the Postman home screen, and then select API Security from the team information pane.

  2. Select the Definitions tab.

  3. Select Create New Rule.

  4. Define the rule in the editor. It must adhere to custom rule guidelines.

    You can use a curated list of commonly used property-value pair snippets to write your rules. Snippets are available in the right pane of the editor. Selecting a snippet adds the property-value pair automatically to your rule, helping you get started with writing rules. Once added to your rule, you can edit the snippets to meet your specific requirements.

    Postman will prompt you with suggestions as you enter text. Select one to autocomplete your rule.

  5. The rule must be valid YAML or JSON. Use the dropdown list to choose the correct syntax.

  6. Select Create.

    Create a custom API Security rule

  7. Find your new rule under Custom Rules and turn it on.

You can also select Upload file(s) to upload a new rule in valid YAML or JSON format.

You can't create a custom rule that duplicates an existing rule.

To delete a custom rule, select the delete icon Delete icon next to its name. If you delete a custom rule, and you want to add it back into Postman, you must select Create New Rule to create the rule again.

Configure rules for requests

Postman applies security rules configured for your API requests when you send requests to any API using either the Postman web app or the Postman desktop app. Learn about viewing security warnings in requests.

To access the configuration page for requests, do the following:

  1. Go to the Postman home screen.
  2. Select API Security from the team information pane.
  3. Select Requests.
  4. Turn security rules on or off for your team.

Turn configured rules on and off

Your team can turn individual security rules on or off to meet your development needs:

  • To turn a security rule on, select the toggle next to the rule name. You and your team members will see violations for this rule in your API's definition.
  • To turn a security rule off, select the toggle next to the rule name. You and your team members won't see violations for this rule in your API's definition.
Turn individual rules on and off

Last modified: 2022/09/15

Additional resources

Blog posts

Introducing API Security in Postman v10
Postmanaut dancing. Illustration.