Using cookies

Postman provides a MANAGE COOKIES modal that lets you edit cookies that are associated with each domain. If you want to capture cookies using Postman Interceptor, refer to Syncing cookies.

You can disable the cookie jar in the Settings tab for a request at any time to toggle off sending cookies.

To open the MANAGE COOKIES modal, click the Cookies link under the Send button.

cookies link

This opens the MANAGE COOKIES modal, and displays a list of domains and the cookies associated with them.

manage cookies modal

To add a new cookie for the domain, click on the Add Cookie button. A pre-generated cookie string according to the HTTP State Management standards will be created, but you can edit it using the text input that appears below it. Clicking the Save button will save it to the cookie store under the relevant domain.

create a cookie

When you make a request to a domain you have added a cookie to, the cookie will automatically appear in your request Headers tab—click the hidden button to see it.

Cookie Header

You cannot override cookie headers directly in the Headers tab. To change a cookie header, alter your setup in Cookies (or remove cookies and set your request headers manually). You can add cookies from the Cookies control and manually in Headers, and Postman will merge them before sending your request.

Adding a domain

If you want to add a cookie for a domain that isn’t present in the domain list, you can add one by entering the hostname (without the port or the http://) in the input box at the top. Clicking the Add button will add it to the domain list. You can then add cookies for this domain by selecting it, and entering a new cookie value as described above.

add a domain

To update an existing cookie, go to the domain from the domain list, and click the cookie you want to edit. You can edit any property, and hit Save to update.

update cookie

You can also add/edit the cookies through the Set-Cookie header through the response.

Whitelisting domains for programmatic access of cookies

To whitelist a domain so that cookies can be programmatically accessed, click the Cookies link under the Send button and open the MANAGE COOKIES modal. Click on Whitelist Domains from bottom left and enter the list of domains needed to be whitelisted.

Programmatic access of cookies

Postman also allows for programmatic cookie access i.e. creating and manipulating cookies by special methods instead of relying on the graphical interface, granting a greater degree of control over cookies to the users.

The very first step to perform any kind of operation on cookies is to create a Cookie Jar, an object that will contain the cookies and the methods that will be used to operate on cookies.

To create a "cookie jar", use the pm.cookies.jar() method. This will create an object containing the cookies and the methods that would be needed to access them.

const cookieJar = pm.cookies.jar();

After a cookie jar is created, you can place cookies into it by the following methods:

  1. Set a cookie using the .set() function, it takes a URL, a cookie name and a cookie value.
// create a cookie jar
const cookieJar = pm.cookies.jar();
// create a cookie
cookieJar.set(URL, cookie name, cookie value, callback(error, cookie));
  1. One can also set a PostmanCookie or its compatible cookie object using the .set() function.
// create a cookie jar
const cookieJar = pm.cookies.jar();
// create a PostmanCookie
cookieJar.set(URL, { name: cookie name, value: cookie value, httpOnly: true }, callback (error, cookie));

To retrieve a cookie, .get() function is used. The function takes a URL and name of the required cookie. It returns the value of cookie.

// create a cookie jar
const cookieJar = pm.cookies.jar();
// create a cookie
cookieJar.set(URL, cookie name, cookie value, callback(error, cookie));
// get the created cookie
cookieJar.get(URL, cookie name, callback(error, cookie));

Get all the cookies

To get all the cookies for a particular URL that are in the cookie jar, .getAll() function is used, it takes a URL and returns all the cookies for that URL.

// create the cookie jar
const cookieJar = pm.cookies.jar();
// create one cookie
cookieJar.set(URL,first cookie name,first cookie value, callback(error, cookie));
// create another cookie
cookieJar.set(URL,second cookie name,second cookie value, callback(error, cookie));
// get the created cookies
cookieJar.getAll(URL, callback(error, cookies));

To delete a cookie, .unset() function is used. It takes a URL and the name of the cookie to be removed.

// create the cookie jar
const cookieJar = pm.cookies.jar();
// create a cookie
cookieJar.set(URL, cookie name, cookie value, callback(error, cookie));
// Delete the created cookie
cookieJar.unset(URL , cookie name, callback (error));

Delete all the cookies

To clear all the cookies for a URL, .clear() is used. It takes the URL for which all the cookies are to be removed. Note that .clear() removes all cookies for a particular URL, it DOES NOT remove all the cookies in the jar as there may be cookies for more than one URL in the cookie jar.

// create cookie jar
const cookieJar = pm.cookies.jar();
// set one cookie
cookieJar.set(URL,first cookie name,first cookie value, callback(error, cookie));
// set another cookie
cookieJar.set(URL,second cookie name,second cookie value, callback(error, cookie));
// delete the set cookies
cookieJar.clear(URL, callback (error));

Properties not yet supported

These are two properties that are not yet supported Postman.

  • SameSite
  • Cookie Prefixes * __Secure- * __Host-

Whenever you add a domain, Postman will sync all cookies for that domain from the browser. Entering “facebook.com”, for example will sync cookies for facebook and all its subdomains (m.facebook.com). The Postman Interceptor extension keeps cookies for a fixed set of domains in sync from the browser to Postman (cookie updates from the browser sync to Postman, not vice versa). This will let you use any authentication sessions in your browser to make API calls in Postman. However, you will not be able to save them to Postman’s history.

Subsequent updates (on the cookie’s value or other properties) and deletions will be synced as well. Click ‘x’ next to the domain to remove it from the synced set. This will only prevent future cookie updates from being synced - it won’t delete the cookies that have already been synced to Postman.