Beta feature

Repro mode data redactions

Postman Insights treats handling of user data seriously. This page describes the set of default fields and values that Postman Insights redacts, replacing with *REDACTED*, to help ensure compliance with security and privacy requirements.

  • Sensitive keys - Predefined, case-insensitive field names that are automatically redacted, such as accessToken, auth-key, and x-api-key. These fields are considered sensitive and are masked to ensure data security.

  • Sensitive value RegEx - Regular expressions applied to field values to identify and redact patterns matching sensitive information, such as tokens, private keys, and authentication details.

Postman Insights also allows users to define additional redacted fields and values. See the Insights Settings tab for instructions about how to redact additional fields.

Sensitive keys

Sensitive keys are not case sensitive. They include the following:

  • accessToken
  • api-key
  • api_key
  • auth
  • auth-key
  • authKey
  • clientSecret
  • clientToken
  • consumerSecret
  • encryption_key
  • password
  • postman_sid
  • primarySecret
  • proxy-authorization
  • secondarySecret
  • secretKey
  • sessionToken
  • set-cookie
  • sso_jwt_key
  • token
  • tokenSecret
  • x-access-token
  • x-amz-security-token
  • x-api-key
  • x-auth-token
  • x-csrf-token
  • x-support-secret

Sensitive value RegEx

Sensitive value regular expressions include the following:

  • \bPMAK-[a-f0-9]{24}\b
  • (?i)https:\/\/creator\.zoho\.com\/api\/[A-Za-z0-9\/\-_\.]+\?authtoken=[A-Za-z0-9]+
  • \bt1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}\b
  • \b(live|test)_[a-f0-9]{35}\b
  • (?i)https:\/\/[\w-]*\.?zoom\.us\/(j|my)\/[\d\w?=-]+\b
  • \bb\.AAAAAQ[0-9a-zA-Z_-]{156}\b
  • (?i)\beyJhbGciOi[a-z0-9_\-\.]{2,1000}\b
  • \bpypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}\b
  • \bFLWSECK_TEST[a-h0-9]{12}\b
  • \bnpm_[a-zA-Z0-9]{36}\b
  • \b[0-9]{15,25}-[a-zA-Z0-9]{20,40}\b
  • \bSSWS [a-zA-Z0-9=_\-]{42}\b
  • \bEZAK[a-zA-Z0-9]{54}\b
  • \b(?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}\b
  • \bico-[a-zA-Z0-9]{32}\b
  • \bflb_live_[0-9a-zA-Z]{20}\b
  • \b[0-9a-f]{32}-us[0-9]{1,2}\b
  • \bdp\.audit\.[a-zA-Z0-9]{40,44}\b
  • (?i)\bduffel_live_[a-zA-Z0-9_-]{43}\b
  • \b(amqp|amqps):\/\/[\d\w\:?=-]+\b
  • \b[A-Za-z0-9]{14}\.atlasv1\.[A-Za-z0-9]{67}\b
  • (?i)\bsk-ant-api[0-9]{2}-[0-9a-z\-\_]{95}\b
  • \bdp\.pt\.[a-zA-Z0-9]{40,44}\b
  • \bAQVN[A-Za-z0-9_\-]{35,38}\b
  • (?i)\bsk_live_[0-9a-z]{24}\b
  • '[-]{5}BEGIN EC PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END EC PRIVATE KEY[-]{5}'
  • \bhttps:\/\/[\w-]*\.?alchemyapi\.io\/v2\/[\d\w?=-]+\b
  • \bNRBR-[a-fA-F0-9]{19}\b
  • \b\d{15,16}(?:\||%)[0-9a-zA-Z_-]{27,40}\b
  • \bpscale_tkn_[A-Za-z0-9_]{43}\b
  • \btfp_[0-9A-Za-z-_]{59}\b
  • \bhttps:\/\/discord\.com\/api\/webhooks\/([0-9]{18,20})\/([0-9a-zA-Z_-]+)\b
  • (?i)\blin_api_[a-zA-Z0-9]{40}\b
  • \bdp\.sa\.[a-zA-Z0-9]{40,44}\b
  • \bdnkey-[a-zA-Z0-9=\-]{26}-[a-zA-Z0-9=\-]{52}\b
  • \b(pk|dk)(prod|test)[a-zA-Z0-9]{28}\b
  • \bglsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8}\b
  • (?i)\bhttps:\/\/api\.hubapi\.com\/webhooks\/v1\/[a-zA-Z0-9]+\/
  • \bhttps://[a-f0-9]{8}:[a-f0-9]{8}@(?:gems\\.contribsys\\.com|enterprise\\.contribsys\\.com)
  • Bearer xoxe.xox[bp]-\d-[a-zA-Z0-9]{163,166}
  • \bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b
  • \bSK[A-Fa-f0-9]{32}\b
  • (?i)\bshpat_[a-fA-F0-9]{32}\b
  • (?i)\bshppa_[a-fA-F0-9]{32}\b
  • (?i)\bfigd_[0-9a-z_-]{40}\b
  • \bp8e\-[a-zA-Z0-9\-]{32}\b
  • Bearer xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+
  • (?i)[0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com
  • (?i)https:\/\/(?:www.)?hooks\.zapier\.com\/hooks\/catch\/[a-z0-9]+\/[a-z0-9]+\/
  • \b(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b
  • \brzp_live_[0-9a-zA-Z-_]+\b
  • (?i)\bpk_[0-9a-z]{34}\b
  • (?i)\bshippo_test_[a-fA-F0-9]{40}\b
  • \b(pscale_pw_[a-zA-Z0-9=\-_\.]{32,64})\b
  • \bAIza[0-9a-zA-Z-_]{35}\b
  • '[-]{5}BEGIN OPENSSH PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END OPENSSH PRIVATE KEY[-]{5}'
  • '[-]{5}BEGIN RSA PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END RSA PRIVATE KEY[-]{5}'
  • (?i)\bduffel_test_[a-zA-Z0-9_-]{43}\b
  • (?i)\br8_[0-9a-z-_]{37}\b
  • (?i)\bhf_[0-9a-z]{34}\b
  • \b[a-f0-9]{8}:[a-f0-9]{8}\b
  • \bakaa[0-9a-z-]{15,1000}\b
  • (?i)\bghr_[0-9a-zA-Z]{36}\b
  • (?i)\bshippo_live_[a-fA-F0-9]{40}\b
  • \bglptt-[0-9a-f]{40}\b
  • \bdapi([a-hA-H0-9]{32})\b
  • \bpscale_app_secret_[a-zA-Z0-9=\-_\.]{43}\b
  • Bearer xox[os]-\d+-\d+-\d+-[a-fA-F\d]+
  • \bdt0c01\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{64}\b
  • \b(glc_[A-Za-z0-9+\/]{32,400}={0,2})\b
  • (?i)\brubygems_[a-f0-9]{48}\b
  • (?i)\bCCIPAT_[0-9a-z]{22}_[0-9a-z]{40}\b
  • \bNRII-[a-zA-Z0-9-]{32}\b
  • Bearer xoxb-[0-9]{10,13}\-[0-9]{10,13}[a-zA-Z0-9-]*
  • (?i)\bghp_[A-Z0-9]{36}\b
  • \bakab-[a-zA-Z0-9]{16}-[a-zA-Z0-9]{16}\b
  • (?i)\bgh[us]_[0-9a-zA-Z]{36}\b
  • \bGR1348941[0-9a-zA-Z\-\_]{20}\b
  • \bdp\.ct\.[a-zA-Z0-9]{40,44}\b
  • \bapi_org_[a-zA-Z]{34}\b
  • \beyJrIjoi[A-Za-z0-9]{70,400}={0,2}\b
  • \btk-us-[a-zA-Z0-9-_]{48}\b
  • \bAGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}\b
  • \bsu[a-zA-Z0-9]{12}\b
  • (?i)\bBasic [A-Z0-9+/]{8,1000}[=]{0,2}
  • '[-]{5}BEGIN DSA PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END DSA PRIVATE KEY[-]{5}'
  • \bdG9rO[0-9a-zA-Z]{54}\=
  • \bphc_[a-zA-Z0-9_]{43}\b
  • \bBearer [A-Za-z0-9\-._~+/]{8,1000}[=]{0,2}
  • (?i)\bNRAK-[0-9a-z-_]{27}\b
  • (?i)\bgho_[0-9a-zA-Z]{36}\b
  • (?i)\bpul-[a-fA-F0-9]{40}\b
  • (?i)\bhttps:\/\/chat\.twilio\.com\/v2\/Services\/[a-zA-Z0-9]{32}\b
  • \bpub-c-[0-9a-z]{8}-[0-9a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\b
  • \baio\_[a-zA-Z0-9]{28}\b
  • \b(live|test)_[a-f0-9]{35}\b
  • \bpk\.[a-zA-Z0-9]{60,70}\.[a-zA-Z0-9]{22}\b
  • '[-]{5}BEGIN PGP PRIVATE KEY BLOCK[-]{5}([\s\S]{128,}?)[-]{5}END PGP PRIVATE KEY BLOCK[-]{5}'
  • \bsk_[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b
  • (?i)\bdo[por]v1[a-f0-9]{64}\b
  • \bey[a-zA-Z0-9]{17,512}\.ey[a-zA-Z0-9/-]{17,512}\.[a-zA-Z0-9/-]{17,512}={0,2}\b
  • \bLTAI[a-zA-Z0-9]{20}\b
  • \brdme_[a-zA-Z0-9]{70}\b
  • \bsecret_[0-9a-zA-Z-_]{43}\b
  • (?i)\bpk_[0-9]{7,8}_[0-9a-z]{32}\b
  • Bearer [0-9]{15,25}-[a-zA-Z0-9]{20,40}
  • \bpnu_[a-zA-Z0-9]{36}\b
  • \bsub-c-[0-9a-z]{8}-[a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\b
  • \bfio-u-[a-zA-Z0-9\-_=]{64}\b
  • (?i)\brk_live_[0-9a-z]{24}\b
  • \bion_[a-zA-Z0-9]{42}\b
  • \bkey[a-zA-Z0-9]{14}\b
  • https:\/\/www\.google\.com\/calendar\/embed\?src=[A-Za-z0-9%\@&;=\-_\.\/]+
  • \bpdct\.1\.1\.[0-9A-Z]{16}\.[0-9a-z]{16}\.[0-9a-z]{40}\b
  • \bYC[a-zA-Z0-9_\-]{38}\b
  • \bBBFF-[0-9a-zA-Z]{30}\b
  • (?i)\bpscale_tkn_[a-zA-Z0-9\-_\.]{43}\b
  • \bEZTK[a-zA-Z0-9]{54}\b
  • \bapify\api\[a-zA-Z-0-9]{36}\b
  • \bEAACEdEose0cBA[0-9A-Za-z]{5,1000}\b
  • \bPMAT-[0-9A-Z]{26}\b
  • (?i)\bshpca_[a-fA-F0-9]{32}\b
  • Bearer xoxb-[0-9]{8,14}\-[a-zA-Z0-9]{18,26}
  • \bdp\.scim\.[a-zA-Z0-9]{40,44}\b
  • \bsk\.[a-zA-Z-0-9\.]{80,240}\b
  • \bpscale_oauth_[a-zA-Z0-9=\-_\.]{43}\b
  • \bsk_test_[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b
  • (?i)\bKEY[0-9A-Z_-]{55}\b
  • (?i)\bhttps:\/\/hooks\.slack\.com\/(services|workflows)\/[a-z0-9_+\/]{43,46}\b
  • (?i)\bsbp_[a-f0-9]{40}\b
  • (?i)\bsk-[0-9a-z]{20}T3BlbkFJ[0-9a-z]{20}\b
  • \bgithub_pat_[0-9a-zA-Z_]{82}\b
  • \bFLWSECK_TEST-[a-h0-9]{32}-X\b
  • \bsl\.[a-zA-Z0-9\-=_]{135,}\b
  • Bearer xoxe-\d-[a-zA-Z0-9]{146}
  • (?i)\bglpat-[0-9a-zA-Z_\-]{20}\b
  • \bhttps://[a-zA-Z0-9\\-]{0,63}\\.webhook\\.office\\.com/webhookb2/[a-z0-9-]{36}@[a-z0-9-]{36}/IncomingWebhook/[a-z0-9]{32}/[a-z0-9-]{36}
  • \b\d{15,16}\|[0-9a-zA-Z\-_]{27}\b
  • sb_secret_[-_a-zA-Z0-9]{27}
  • \bLTAI[a-zA-Z0-9]{17,21}\b
  • (?i)\beyJhbGciOi[a-z0-9_\-\.]{2,1000}\b

Last modified: 2025/05/30