Token Scanner

The Postman Token Scanner scans your public workspaces, collections, environments, and documentation to find accidentally exposed tokens. This protects your organization and prevents malicious users from exploiting the tokens.

Token Scanner is available only on the Enterprise plan and is enabled by default.


Use cases

A scan is triggered whenever your team members do any of the following actions:

  • Change the workspace visibility to Public.
  • Share a collection or environment to a public workspace.
  • Make changes to a collection or environment that is present in a public workspace.
  • Author new documentation for a Postman Collection and make it public.
  • Make any changes to publicly available Postman documentation.

Scan results are displayed in Security audit reports on the Reports section of the web dashboard.

Supported tokens

The Token Scanner will scan a variety of tokens by default. You can also add your team's proprietary third-party app tokens that are not supported yet using custom alerts.

Default alerts

By default, tokens issued by the following service providers are scanned:

  • Basic Auth
  • Bearer Token
  • Google API Key
  • Google OAuth Token
  • PGP Private Key
  • Postman API Key
  • RSA Private Key
  • Slack Access Token
  • Slack Webhook URL
  • SSH (DSA) Private Key
  • SSH (EC) Private Key
  • SSH (OpenSSH) Private Key
  • Stripe Restricted Key
  • Stripe Secret Key

Custom alerts

Custom alerts can be used to scan your team's proprietary and third-party app tokens that are not scanned by default.

Your team can add a total of five alerts.

To add custom alerts:

  1. Go to Team Settings > Token Scanner.
  2. In the Custom alerts section, click the Add alerts button.
  3. In the Add Alert page, define the custom token.