Add API authorization details to requests in Postman

With a request open in Postman, use the Authorization tab to select an auth type, then complete the relevant details for your selected type. The correct data values are determined by your API at the server side. If you're using a third-party API, refer to the provider's documentation for any required auth details.

You can use Guided Auth to set up authentication credentials for supported public APIs. For more information, see Set up authorization for public APIs using Guided Auth.

Select an authorization type

When you select an auth type from the Auth Type dropdown list, Postman indicates which parts of the request your details are included in. For example, the header, body, URL, or query parameters. Postman then adds your auth details to the relevant parts of the request when you select or enter them. This enables you to preview how Postman will send your data before you run the request.

For more details on setting up each type of authorization, see Authorization types supported by Postman.

You can use these auth types with Newman, monitors, and in Postman.

View authorization details

After you select and set up an authorization type, your data appears in the relevant parts of the request. For example, in the Headers tab. To view headers that were added automatically, select hidden.

Hover over a header to get information about where it was added. To change an auth header, return to the Authorization tab and update your configuration.

You can't override headers added by your Authorization selections in the Headers tab. If you need auth headers that are different from those generated by Postman, change your setup in Authorization. You can also remove your auth setup and manually add the headers.

Your request auth can use environment, collection, and global variables. Postman doesn't save header data or query parameters to avoid exposing sensitive data, such as API keys.

It's recommended that you use your Postman Vault to store sensitive data as vault secrets. Only you can access and use your vault secrets, and vault secrets aren't synced to the Postman cloud. If you want to share sensitive data with collaborators or access it in scripts, you can store it in an environment as a secret type variable.

Learn more about the differences between vault secrets and variables.

You can inspect a raw dump of the entire request including auth data in the Postman Console after you send it.

Inherit authorization

If you group your requests in collections and folders, you can specify auth details to reuse throughout a group.

By default, requests inside the collection or folder inherit auth from the parent. This means that they'll use the same auth that you've specified at the folder or collection level. To change this for an individual request, select a different auth type in the request's Authorization tab.