Using cookies

Postman provides a Manage Cookies feature that enables you to edit cookies that are associated with each domain. If you want to capture cookies using Postman Interceptor, refer to Syncing cookies.

You can disable the cookie jar in the Settings tab for a request at any time to toggle off sending cookies.

What are cookies?

A computer cookie is more formally known as an HTTP cookie, a web cookie, an Internet cookie, or a browser cookie. The name is a shorter version of “magic cookie,” which is a term for a packet of data that a computer receives and then sends back without changing or altering it.

A cookie typically contains two pieces of data: a unique ID for each user and a site name. Cookies enable websites to retrieve this information when you revisit them, so that they can remember you and your preferences and tailor page content for you based on this information. Without cookies, you’d have to log in again after you leave a site or rebuild your shopping cart if you accidentally closed a web page. This makes cookies an important a part of the internet experience.

To open the Manage Cookies dialog, open a request and select the Cookies link under the Send button.

cookies link

This opens the Manage Cookies dialog, which displays a list of domains and the cookies associated with them.

manage cookies dialog

To add a new cookie for the domain, select Add Cookie below the domain. A pre-generated cookie string compliant with HTTP State Management standards is created.

<cookieName>=<cookieValue>; path=/; domain=.domain.com; HttpOnly; Secure; Expires=Tue, 19 Jan 2038 03:14:07 GMT;

Postman supports the following attributes:

  • cookieName, cookieValue: The name of the cookie and the value stored in it.
  • Domain: The domain Postman will send the cookie to.
  • Path: The URL path that the cookie is restricted to. If the path is /, the cookie will be sent to all requests in the specified domain.
  • HttpOnly: If present, the cookie won't be accessible to the client-side scripts run on the page (for example, with document.cookie in JavaScript). The cookie will only be added to the cookie header in requests that are made. This field does not have an effect on Postman's behavior.
  • Secure: If present, the cookie is only sent when the URL begins with https:// and won't be sent over an insecure connection.
  • Expires: The time after which the cookie will expire and not be sent by Postman.

Select Save to save the cookie to the cookie store under the relevant domain.

When you make a request to a domain you have added a cookie to, the cookie will automatically appear in your request Headers tab. If the cookie isn't visible, select hidden to show autogenerated headers.

Cookie Header

You can't override cookie headers directly in the Headers tab. edit the cookie on the Manage Cookies dialog, or delete the cookie and set your request headers manually. You can add cookies on the Manage Cookies dialog as well as on the Headers tab, and Postman will merge the cookies before sending the request.

Adding a domain

If you want to add a cookie for a domain that isn’t present in the domain list, you can add one. To add a new domain to the domain list, enter the domain name in the box (don't include a port number or http://) and select Add. You can then add cookies for the new domain.

To update an existing cookie for a domain, select the cookie you want to edit. You can edit any property, and select Save to update.

To delete a domain and all cookies associated with it, select X next to the domain. To delete individual cookies, select X next to the cookie.

You can also add or edit the cookies in a response with the Set-Cookie header.

Whitelisting domains for programmatic access of cookies

Adding a domain to the whitelist allows cookies for that domain to be accessed in scripts. To whitelist a domain, select the Cookies link under the Send button and open the Manage Cookies dialog. Select Whitelist Domains in the bottom left and enter the list of domains to be whitelisted.

Programmatic access of cookies

Postman also enables you to programmatically create and delete cookies, instead of relying on the graphical interface. This grants a greater degree of control over cookies to the users.

The first step to perform in any kind of operation on cookies is to create a cookie jar, an object that will contain the cookies and the methods that will be used to operate on cookies.

To create a cookie jar, use the pm.cookies.jar() method. This creates an object to contain the cookies and methods for accessing them.

const cookieJar = pm.cookies.jar();

After a cookie jar is created, you can place cookies into it. Set a cookie using the .set() function. It takes a URL, a cookie name and a cookie value:

// create a cookie
cookieJar.set(URL, cookie name, cookie value, callback(error, cookie));

You can also set a PostmanCookie or its compatible cookie object using the .set() function:

// create a PostmanCookie
cookieJar.set(URL, { name: cookie name, value: cookie value, httpOnly: true }, callback (error, cookie));

To retrieve a cookie, use the .get() function. The function takes a URL and name of the required cookie. It returns the value of cookie.

// get the created cookie
cookieJar.get(URL, cookie name, callback(error, cookie));

Get all the cookies

To get all the cookies for a particular URL that are in the cookie jar, use the .getAll() function. It takes a URL and returns all the cookies for that URL:

// get the created cookies
cookieJar.getAll(URL, callback(error, cookies));

To delete a cookie, use the .unset() function. It takes a URL and the name of the cookie to be removed:

// Delete the created cookie
cookieJar.unset(URL , cookie name, callback (error));

Delete all the cookies

To clear all the cookies for a URL, use the .clear() function. It takes the URL for which all the cookies are to be removed. Note that .clear() removes all cookies for a particular URL, it does not remove all the cookies in the jar as there may be cookies for more than one URL in the cookie jar.

// delete the set cookies
cookieJar.clear(URL, callback (error));

Properties not yet supported

There are two properties that are not supported by Postman:

  • SameSite
  • Cookie Prefixes:
    • __Secure-
    • __Host-

When you add a domain, Postman syncs all cookies for that domain from the browser. For example, entering facebook.com syncs cookies for facebook and all its subdomains (m.facebook.com). The Postman Interceptor extension keeps cookies for a fixed set of domains in sync from the browser to Postman (cookie updates from the browser sync to Postman, not vice versa). This will enable you to use any authentication sessions in your browser to make API calls in Postman. However, you won't be able to save them to Postman’s history.

Subsequent updates (on the cookie’s value or other properties) and deletions will be synced as well. Select ‘x’ next to the domain to remove it from the synced set. This will only prevent future cookie updates from being synced - it won’t delete the cookies that have already been synced to Postman.

Last modified: 2021/10/20