The Postman Token Scanner scans your public workspaces, collections, environments, and documentation to find accidentally exposed tokens. This protects your organization and prevents malicious users from exploiting the tokens.
Token Scanner is available on all Postman plans and is enabled by default.
A scan is triggered whenever your team members do any of the following actions:
- Change the workspace visibility to Public.
- Share a collection or environment to a public workspace.
- Make changes to a collection or environment that is present in a public workspace.
- Author new documentation for a Postman Collection and make it public.
- Make any changes to publicly available Postman documentation.
Scan results are displayed in Security audit reports on the Reports section of the web dashboard.
The Token Scanner will scan a variety of tokens by default. You can also add your team's proprietary third-party app tokens that are not supported yet using custom alerts.
By default, tokens issued by the following service providers are scanned:
- Airtable API Key
- Basic Auth
- Bearer Token
- DSA Private Key
- EC2 SSH Private Key
- GitHub Personal Access Token
- Google API Key
- Google OAuth Token
- OpenSSH Private Key
- PGP Private Key
- Postman API Key
- RSA Private Key
- Slack Webhook URL
- Stripe Restricted Key
- Stripe Secret Key
- Telegram Bot Access Token
- Twilio API Key
Custom alerts can be used to scan your team's proprietary and third-party app tokens that are not scanned by default.
Your team can add a total of five alerts. You must be a Community Manager or member with both Developer and Admin roles to add custom alerts.
To add custom alerts:
- Go to Team Settings > Token Scanner.
- In the Custom alerts section, click Add Alert.
- In the Add Alert page, define the custom token.