Create and manage vault secrets in Postman Vault

You can add vault secrets directly to your Postman Local Vault or from HTTP requests. Specify the key name that’s used to reference the vault secret, the value, and allowed domains. Then you can reference vault secrets in your Postman team. You can edit vault secrets from your local vault or from requests that reference them.

Add sensitive data as vault secrets

Add sensitive data, such as API keys and passwords, to Postman Vault and reuse them in Postman. Vault secrets are encrypted using Advanced Encryption Standard (AES) with a 256-bit key length.

To add secrets to your Postman Vault, do the following:

Open your Postman Vault.
Enter the following values in an empty row:
- Key - The name of the vault secret. Use the name to reference the secret.
- Value - The value used when sending requests in your local instance of Postman. It’s never synced to your account or shared with your team. To show or hide a vault secret’s value, hover over the secret and click View or Hide.
- Allowed domains - The comma-separated list of domains and subdomains you’re allowed to send requests to with the vault secret. This enables you to prevent unintentional disclosure of sensitive data in your vault secret. By default, you can include vault secrets in requests to any domain and subdomain.
  
  If you specify allowed domains or subdomains for a vault secret, you can only reference it at the request level.

To allow sending requests to any subdomain of an allowed domain, use * to represent any subdomain. For example, add *.example.com to allow sending requests to any subdomain of example.com.

More options for adding vault secrets

You can also take the following actions to add vault secrets to Postman Vault:

Set existing data as a vault secret.
Try out a vault secret locally in a request.
Add a vault secret from a reference.
Set vault secrets in scripts. Make sure you enable scripts to access your vault secrets. Otherwise, you’ll receive an error in the Postman Console.
Create an integration (Enterprise teams only) that connects your Postman Local Vault with external vaults, such as Azure Key Vault. This enables you to link vault secrets with sensitive data stored in external vaults, and reuse it in your Postman team.

Set data as a vault secret

You can select data from the URL builder, Params tab, Authorization tab, or Headers tab and set the data as a vault secret. You can also enter a value with sensitive data in the Authorization tab and add it directly to your Postman Vault as a vault secret.

To select data and set it as a vault secret, do the following:

Select the data you need. You can select data from the URL builder, Params tab, Authorization tab, or Headers tab.
Right-click the selected data and click Set as variable.
Click Set as new variable.
Enter the Name of the vault secret, confirm that the Value is correct, and select Vault as the scope.
Click Set Variable.

To add sensitive data as a vault secret from the Authorization tab, do the following:

Click the Authorization tab.
Click the Auth type dropdown list, then select an authorization.
Enter a value in a field that holds sensitive data, such as a password or token.
Hover over Sensitive value, then click Set as Variable.
Enter a name for the vault secret.
Select Local Vault.

Try a vault secret in a request

Try a vault secret in a request before adding it to Postman Vault. You can also create placeholder vault secrets to share with your API consumers. Your consumers can use placeholder vault secrets to add their own sensitive data. The value you enter is stored locally and only available in the request it’s set in.

To try a vault secret locally, do the following:

Enter a vault secret reference in the URL builder, Params tab, Authorization tab, or Headers tab using the vault secret syntax. Use a name that isn’t already associated with a vault secret.
Hover over the vault secret reference, click Enter value, then enter a value for the vault secret.
Send the request to see if the value you entered for the vault secret works as expected.

Values for vault secrets you try are stored locally in a request until you close its tab or sign out of Postman. When you open the request again, the vault secret’s value is empty.

Add a vault secret from a reference

Once you try a vault secret in a request, you can then add it to Postman Vault.

To add a vault secret from a reference, do the following:

Hover over the vault secret reference, such as {{vault:secret-name}}).
(Optional) Update the reference to the vault where you want to store the vault secret. Learn more about referencing a vault secret.
(Optional) Enter a new value.
Click Add to Vault.

If you would like to store the value as a variable instead, remove the vault: prefix, then follow the instructions to add the variable to a scope.

Use vault secrets

You can reference vault secrets in your HTTP collections and requests from the URL builder, the Params tab, the Authorization tab, the Headers tab, and the Body tab. Learn more about Postman feature availability with vault secrets.

Put the vault secret inside double curly braces ({{ }}) and append the prefix vault: to the vault secret’s name, enabling you to reference it throughout your workspaces. For example, to reference a vault secret named “postman-api-key”, use the following syntax:

{{vault:postman-api-key}}

To learn how to troubleshoot empty or unresolved vault secrets, see Troubleshoot vault secrets.

If you specified an allowed domain for a vault secret and you’re sending a request to the domain, you can select a vault secret from the Authorization tab. Note that you can only add a vault secret this way from the request level. Select an authorization from the Auth type dropdown list, click a field that holds sensitive data, then select a vault secret from the dropdown list. You can click View secret value to show the vault secret’s value in the dropdown list.

From the variables pane, you can view vault secrets referenced in an HTTP request and available from a Postman element. Click Variables in the workbench to open the variables pane. Review the vault secrets referenced in a request under Variables in request. If the request auth is set to Inherit auth from parent, you can view vault secrets referenced in the Authorization tab of the request’s parent collection or folder. Under All variables, you can view vault secrets that can be referenced and resolved in the Postman element that’s open. For requests that reference a variable or vault secret, click All variables to display all vault secrets a request can access.

Vault secrets stored in your Postman Vault are masked by default when they’re logged to the Postman Console. To edit whether vault secrets are masked in the Postman Console, click Settings, then turn the toggle on or off next to Mask vault secrets from the Settings tab.

If you reference a vault secret as the shared value of a variable, the reference to the secret (for example {{vault:secret-name}}) is synced using the Postman cloud. The reference to the vault secret, not the actual value, is shared with anyone who has access to the workspace. Learn more about shared values.

If you’re using the Postman web app with Safari as your web browser, it deletes vault secrets from your local instance of Postman after seven days of inactivity.

Use a different web browser if you want your vault secrets available for more than seven days without activity in the Postman web app.

Learn about the browser requirements for the Postman web app.

Postman feature availability

The following Postman features are supported with vault secrets:

The following features aren’t supported with vault secrets:

Edit vault secrets

Edit vault secrets stored in your Postman Vault by updating them and their allowed domains, changing a vault secret’s name, making vault secrets unavailable, or deleting vault secrets. You can also edit the value of vault secrets directly from requests that references it or can access it.

To edit vault secrets, open your Postman Vault. You can take the following actions:

To filter the list of vault secrets by name, enter text in the Filter secrets box.
To sort the list of vault secrets, click a column header. You can toggle between ascending and descending order.
To add a new vault secret, click Add new secret in the bottom row of the table.
To update the key or value for the vault secret, click the relevant cell.
To delete a vault secret, hover over a secret and click Delete.
To update the list of allowed domains, click the empty cell or list of domains.
To make a vault secret unavailable without deleting it, clear the checkbox next to the secret. Any references to the secret will be unresolved. To make the secret available again, select the checkbox.
To link a different secret from an external vault, click Configure vault next to the vault secret you want to update, then click Edit.

Changes are automatically saved to your Postman Vault.

You can also edit the value of a vault secret from the variables pane or the request builder. Click Variables in the workbench to open the variables pane. You can edit vault secrets referenced in an HTTP request under Variables in request and vault secrets available from a Postman element under All variables. In the variables pane, delete the existing value next to a vault secret, then enter a new value. You can also hover over the reference to the vault secret in the request builder, delete the existing value, then enter a new value.

From the variables pane, you can’t edit the value of a vault secret that’s linked to an external vault.