*** title: Authorization types supported by Postman updated: 2025-03-24T00:00:00.000Z max-toc-depth: 2 ---------------- Postman supports several types of authorization. Select a type from the **Auth Type** dropdown list on the **Authorization** tab of a request. You can choose an authorization type on requests, collections, or folders. ## No auth Postman won't send authorization details with a request unless you specify an auth type. If your request doesn't require authorization, select the **Authorization** tab, then select **No Auth** from the **Auth Type** dropdown list. ## API key With API key auth, you send a key-value pair to the API either in the request headers or query parameters. In the request **Authorization** tab, select **API Key** from the **Auth Type** list. Enter your key name and value, and select either **Header** or **Query Params** from the **Add to** dropdown list. You can store your values in [variables](/docs/sending-requests/variables/variables-intro/) for extra security. Postman appends the relevant information to your request **Headers** or the URL query string. ## Bearer token Bearer tokens enable requests to authenticate using an access key, such as a JSON Web Token (JWT). The token is a cryptic string, included in the request header. In the request **Authorization** tab, select **Bearer Token** from the **Auth Type** dropdown list. In the **Token** field, enter your bearer token value. For added security, store it in a variable and reference the variable by name. Postman appends the token value to the text `Bearer` in the required format to the request Authorization header as follows: ```shell Bearer ``` If you need a custom prefix, use an [API Key](#api-key) with a key named `Authorization`. ## JWT bearer JWT, which stands for JSON Web Token, is an open standard for securely sharing JSON data between parties. The data is encoded and digitally signed, which ensures its authenticity. JWT is widely used in API authentication and authorization workflows, as well as for data transfer between clients and servers. Postman supports generating JWT bearer tokens to authorize requests. You can enter a payload in an editor, and JWT tokens are generated and added to the request. In the request **Authorization** tab, select **JWT Bearer** from the **Auth Type** dropdown list. * **Add JWT token to** - Select **Request Header** or **Query Param** to specify how the JWT token will be added to your request. * **Algorithm** - Select a signing algorithm to use for the JWT token. Supported algorithms include: * **HS** - HMAC with SHA * **RS** - RSA (RSASSA-PKCS1-v1\_5) with SHA * **ES** - ECDSA with SHA * **PS** - RSA (RSASSA-PSS) with SHA * **Secret** - The secret that's used with the HMAC-SHA algorithm. * **Secret Base64 encoded** - Select if the secret is encoded in the base-64 format. * **Private key** - The private key for signing the token for RS, ES, and PS algorithms. Select **Select file** to upload a private key in PKCS #8 format. * **Payload** - Enter the payload data for your JWT token, in JSON format. In the **Advanced configuration** section, you can also configure the following items. If you don't configure them, they're generated automatically. * **Request header prefix** - An optional prefix to use at the start of headers. This header prefix is part of the request and not a part of JWT. * **JWT headers** - Any custom headers you also want to send in the JWT token. Headers pertaining to the selected algorithm are automatically added. ## Basic auth Basic authentication involves sending a verified username and password with your request. In the request **Authorization** tab, select **Basic Auth** from the **Auth Type** dropdown list. Enter your API username and password in the **Username** and **Password** fields. For extra security, store these in [variables](/docs/sending-requests/variables/variables-intro/). In the request **Headers**, the Authorization header passes the API a Base64 encoded string representing your username and password values, appended to the text `Basic` as follows: ```shell Basic ```