Add API authorization details to requests in Postman

With a request open in Postman, use the Authorization tab to select an auth type, then complete the relevant details for your selected type. The correct data values will be determined by your API at the server side. If you're using a third-party API, refer to the provider's documentation for any required auth details.

You can use Guided Auth to set up authentication credentials for supported public APIs. For more information, see Set up authorization for public APIs using Guided Auth.

Select an authorization type

When you select a type from the Type dropdown list, Postman will indicate which parts of the request your details will be included in, for example the header, body, URL, or query parameters. Postman adds your auth details to the relevant parts of the request when you select or enter them, so you can preview how your data will be sent before you run the request.

For more details on setting up each type of authorization, go to Authorization types supported by Postman.

Authorization tab

You can use these auth types with Newman and monitors as well as in Postman.

View authorization details

After you select and set up an authorization type, your auth data will appear in the relevant parts of the request, for example in the Headers tab. To show headers that were added automatically, select hidden.

Hidden headers

Hover over a header to get information about where it was added. To change an auth header, return to the Authorization tab and update your configuration.

You can't override headers added by your Authorization selections directly in the Headers tab. If you need different auth headers from those autogenerated by Postman, alter your setup in Authorization, or remove your auth setup and add headers manually.

Your request auth can use environment, collection, and global variables. Postman doesn't save header data or query parameters to avoid exposing sensitive data, such as API keys.

It's recommended that you use your Postman Vault to store sensitive data as vault secrets. Only you can access and use your vault secrets, and vault secrets aren't synced to the Postman cloud. If you want to share sensitive data with collaborators or access it in scripts, you can store it in an environment as a secret type variable.

Learn more about the differences between vault secrets and variables.

You can inspect a raw dump of the entire request including auth data in the Postman Console after you send it.

Inherit authorization

If you group your requests in collections and folders, you can specify auth details to reuse throughout a group.

By default, requests inside the collection or folder will inherit auth from the parent, which means that they'll use the same auth that you've specified at the folder or collection level. To change this for an individual request, make a different selection in the request Authorization tab.

Last modified: 2023/05/26