Repro mode data redactions

Postman Insights treats handling of user data seriously. This page describes the set of default fields and values that Postman Insights redacts, replacing with *REDACTED*, to help ensure compliance with security and privacy requirements.

• Default keys - Predefined, case-insensitive field names that are automatically redacted, such as accessToken, auth-key, and x-api-key. These fields are considered sensitive and are masked to ensure data security.

• Default regular expressions - Regular expressions applied by default to field values to identify and redact patterns matching sensitive information, such as tokens, private keys, and authentication details.

• Optional regular expressions - Optional regular expressions applied to field values to identify and redact patterns matching other sensitive data, such as credit cards, emails, and phone numbers. You can edit these regular expressions to fit your needs.

Postman Insights also allows users to define additional redacted fields and values. See the Settings tab for instructions.

Default keys

Sensitive keys are not case sensitive. They include the following:

• accessToken
• api-key
• api_key
• auth
• auth-key
• authKey
• clientSecret
• clientToken
• consumerSecret
• encryption_key
• password
• postman_sid
• primarySecret
• proxy-authorization
• secondarySecret
• secretKey
• sessionToken
• set-cookie
• sso_jwt_key
• token
• tokenSecret
• x-access-token
• x-amz-security-token
• x-api-key
• x-auth-token
• x-csrf-token
• x-support-secret

Default regular expressions

Default regular expressions include the following:

• \bPMAK-[a-f0-9]{24}\b
• (?i)https:\/\/creator\.zoho\.com\/api\/[A-Za-z0-9\/\-_\.]+\?authtoken=[A-Za-z0-9]+
• \bt1\.[A-Z0-9a-z_-]+[=]{0,2}\.[A-Z0-9a-z_-]{86}[=]{0,2}\b
• \b(live|test)_[a-f0-9]{35}\b
• (?i)https:\/\/[\w-]*\.?zoom\.us\/(j|my)\/[\d\w?=-]+\b
• \bb\.AAAAAQ[0-9a-zA-Z_-]{156}\b
• (?i)\beyJhbGciOi[a-z0-9_\-\.]{2,1000}\b
• \bpypi-AgEIcHlwaS5vcmc[A-Za-z0-9\-_]{50,1000}\b
• \bFLWSECK_TEST[a-h0-9]{12}\b
• \bnpm_[a-zA-Z0-9]{36}\b
• \b[0-9]{15,25}-[a-zA-Z0-9]{20,40}\b
• \bSSWS [a-zA-Z0-9=_\-]{42}\b
• \bEZAK[a-zA-Z0-9]{54}\b
• \b(?:pat|sat)\.[a-zA-Z0-9]{22}\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{20}\b
• \bico-[a-zA-Z0-9]{32}\b
• \bflb_live_[0-9a-zA-Z]{20}\b
• \b[0-9a-f]{32}-us[0-9]{1,2}\b
• \bdp\.audit\.[a-zA-Z0-9]{40,44}\b
• (?i)\bduffel_live_[a-zA-Z0-9_-]{43}\b
• \b(amqp|amqps):\/\/[\d\w\:?=-]+\b
• \b[A-Za-z0-9]{14}\.atlasv1\.[A-Za-z0-9]{67}\b
• (?i)\bsk-ant-api[0-9]{2}-[0-9a-z\-\_]{95}\b
• \bdp\.pt\.[a-zA-Z0-9]{40,44}\b
• \bAQVN[A-Za-z0-9_\-]{35,38}\b
• (?i)\bsk_live_[0-9a-z]{24}\b
• '[-]{5}BEGIN EC PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END EC PRIVATE KEY[-]{5}'
• \bhttps:\/\/[\w-]*\.?alchemyapi\.io\/v2\/[\d\w?=-]+\b
• \bNRBR-[a-fA-F0-9]{19}\b
• \b\d{15,16}(?:\||%)[0-9a-zA-Z_-]{27,40}\b
• \bpscale_tkn_[A-Za-z0-9_]{43}\b
• \btfp_[0-9A-Za-z-_]{59}\b
• \bhttps:\/\/discord\.com\/api\/webhooks\/([0-9]{18,20})\/([0-9a-zA-Z_-]+)\b
• (?i)\blin_api_[a-zA-Z0-9]{40}\b
• \bdp\.sa\.[a-zA-Z0-9]{40,44}\b
• \bdnkey-[a-zA-Z0-9=\-]{26}-[a-zA-Z0-9=\-]{52}\b
• \b(pk|dk)(prod|test)[a-zA-Z0-9]{28}\b
• \bglsa_[A-Za-z0-9]{32}_[A-Fa-f0-9]{8}\b
• (?i)\bhttps:\/\/api\.hubapi\.com\/webhooks\/v1\/[a-zA-Z0-9]+\/
• \bhttps://[a-f0-9]{8}:[a-f0-9]{8}@(?:gems\\.contribsys\\.com|enterprise\\.contribsys\\.com)
• Bearer xoxe.xox[bp]-\d-[a-zA-Z0-9]{163,166}
• \bPMAK-[a-f0-9]{24}-[a-f0-9]{34}\b
• \bSK[A-Fa-f0-9]{32}\b
• (?i)\bshpat_[a-fA-F0-9]{32}\b
• (?i)\bshppa_[a-fA-F0-9]{32}\b
• (?i)\bfigd_[0-9a-z_-]{40}\b
• \bp8e\-[a-zA-Z0-9\-]{32}\b
• Bearer xapp-\d-[A-Z0-9]+-\d+-[a-z0-9]+
• (?i)[0-9]+-[0-9a-z_]{32}\.apps\.googleusercontent\.com
• (?i)https:\/\/(?:www.)?hooks\.zapier\.com\/hooks\/catch\/[a-z0-9]+\/[a-z0-9]+\/
• \b(A3T[A-Z0-9]|AKIA|AGPA|AIDA|AROA|AIPA|ANPA|ANVA|ASIA)[A-Z0-9]{16}\b
• \brzp_live_[0-9a-zA-Z-_]+\b
• (?i)\bpk_[0-9a-z]{34}\b
• (?i)\bshippo_test_[a-fA-F0-9]{40}\b
• \b(pscale_pw_[a-zA-Z0-9=\-_\.]{32,64})\b
• \bAIza[0-9a-zA-Z-_]{35}\b
• '[-]{5}BEGIN OPENSSH PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END OPENSSH PRIVATE KEY[-]{5}'
• '[-]{5}BEGIN RSA PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END RSA PRIVATE KEY[-]{5}'
• (?i)\bduffel_test_[a-zA-Z0-9_-]{43}\b
• (?i)\br8_[0-9a-z-_]{37}\b
• (?i)\bhf_[0-9a-z]{34}\b
• \b[a-f0-9]{8}:[a-f0-9]{8}\b
• \bakaa[0-9a-z-]{15,1000}\b
• (?i)\bghr_[0-9a-zA-Z]{36}\b
• (?i)\bshippo_live_[a-fA-F0-9]{40}\b
• \bglptt-[0-9a-f]{40}\b
• \bdapi([a-hA-H0-9]{32})\b
• \bpscale_app_secret_[a-zA-Z0-9=\-_\.]{43}\b
• Bearer xox[os]-\d+-\d+-\d+-[a-fA-F\d]+
• \bdt0c01\.[a-zA-Z0-9]{24}\.[a-zA-Z0-9]{64}\b
• \b(glc_[A-Za-z0-9+\/]{32,400}={0,2})\b
• (?i)\brubygems_[a-f0-9]{48}\b
• (?i)\bCCIPAT_[0-9a-z]{22}_[0-9a-z]{40}\b
• \bNRII-[a-zA-Z0-9-]{32}\b
• Bearer xoxb-[0-9]{10,13}\-[0-9]{10,13}[a-zA-Z0-9-]*
• (?i)\bghp_[A-Z0-9]{36}\b
• \bakab-[a-zA-Z0-9]{16}-[a-zA-Z0-9]{16}\b
• (?i)\bgh[us]_[0-9a-zA-Z]{36}\b
• \bGR1348941[0-9a-zA-Z\-\_]{20}\b
• \bdp\.ct\.[a-zA-Z0-9]{40,44}\b
• \bapi_org_[a-zA-Z]{34}\b
• \beyJrIjoi[A-Za-z0-9]{70,400}={0,2}\b
• \btk-us-[a-zA-Z0-9-_]{48}\b
• \bAGE-SECRET-KEY-1[QPZRY9X8GF2TVDW0S3JN54KHCE6MUA7L]{58}\b
• \bsu[a-zA-Z0-9]{12}\b
• (?i)\bBasic [A-Z0-9+/]{8,1000}[=]{0,2}
• '[-]{5}BEGIN DSA PRIVATE KEY[-]{5}([\s\S]{128,}?)[-]{5}END DSA PRIVATE KEY[-]{5}'
• \bdG9rO[0-9a-zA-Z]{54}\=
• \bphc_[a-zA-Z0-9_]{43}\b
• \bBearer [A-Za-z0-9\-._~+/]{8,1000}[=]{0,2}
• (?i)\bNRAK-[0-9a-z-_]{27}\b
• (?i)\bgho_[0-9a-zA-Z]{36}\b
• (?i)\bpul-[a-fA-F0-9]{40}\b
• (?i)\bhttps:\/\/chat\.twilio\.com\/v2\/Services\/[a-zA-Z0-9]{32}\b
• \bpub-c-[0-9a-z]{8}-[0-9a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\b
• \baio\_[a-zA-Z0-9]{28}\b
• \b(live|test)_[a-f0-9]{35}\b
• \bpk\.[a-zA-Z0-9]{60,70}\.[a-zA-Z0-9]{22}\b
• '[-]{5}BEGIN PGP PRIVATE KEY BLOCK[-]{5}([\s\S]{128,}?)[-]{5}END PGP PRIVATE KEY BLOCK[-]{5}'
• \bsk_[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b
• (?i)\bdo[por]v1[a-f0-9]{64}\b
• \bey[a-zA-Z0-9]{17,512}\.ey[a-zA-Z0-9/-]{17,512}\.[a-zA-Z0-9/-]{17,512}={0,2}\b
• \bLTAI[a-zA-Z0-9]{20}\b
• \brdme_[a-zA-Z0-9]{70}\b
• \bsecret_[0-9a-zA-Z-_]{43}\b
• (?i)\bpk_[0-9]{7,8}_[0-9a-z]{32}\b
• Bearer [0-9]{15,25}-[a-zA-Z0-9]{20,40}
• \bpnu_[a-zA-Z0-9]{36}\b
• \bsub-c-[0-9a-z]{8}-[a-z]{4}-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{12}\b
• \bfio-u-[a-zA-Z0-9\-_=]{64}\b
• (?i)\brk_live_[0-9a-z]{24}\b
• \bion_[a-zA-Z0-9]{42}\b
• \bkey[a-zA-Z0-9]{14}\b
• https:\/\/www\.google\.com\/calendar\/embed\?src=[A-Za-z0-9%\@&;=\-_\.\/]+
• \bpdct\.1\.1\.[0-9A-Z]{16}\.[0-9a-z]{16}\.[0-9a-z]{40}\b
• \bYC[a-zA-Z0-9_\-]{38}\b
• \bBBFF-[0-9a-zA-Z]{30}\b
• (?i)\bpscale_tkn_[a-zA-Z0-9\-_\.]{43}\b
• \bEZTK[a-zA-Z0-9]{54}\b
• \bapify\api\[a-zA-Z-0-9]{36}\b
• \bEAACEdEose0cBA[0-9A-Za-z]{5,1000}\b
• \bPMAT-[0-9A-Z]{26}\b
• (?i)\bshpca_[a-fA-F0-9]{32}\b
• Bearer xoxb-[0-9]{8,14}\-[a-zA-Z0-9]{18,26}
• \bdp\.scim\.[a-zA-Z0-9]{40,44}\b
• \bsk\.[a-zA-Z-0-9\.]{80,240}\b
• \bpscale_oauth_[a-zA-Z0-9=\-_\.]{43}\b
• \bsk_test_[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}\b
• (?i)\bKEY[0-9A-Z_-]{55}\b
• (?i)\bhttps:\/\/hooks\.slack\.com\/(services|workflows)\/[a-z0-9_+\/]{43,46}\b
• (?i)\bsbp_[a-f0-9]{40}\b
• (?i)\bsk-[0-9a-z]{20}T3BlbkFJ[0-9a-z]{20}\b
• \bgithub_pat_[0-9a-zA-Z_]{82}\b
• \bFLWSECK_TEST-[a-h0-9]{32}-X\b
• \bsl\.[a-zA-Z0-9\-=_]{135,}\b
• Bearer xoxe-\d-[a-zA-Z0-9]{146}
• (?i)\bglpat-[0-9a-zA-Z_\-]{20}\b
• \bhttps://[a-zA-Z0-9\\-]{0,63}\\.webhook\\.office\\.com/webhookb2/[a-z0-9-]{36}@[a-z0-9-]{36}/IncomingWebhook/[a-z0-9]{32}/[a-z0-9-]{36}
• \b\d{15,16}\|[0-9a-zA-Z\-_]{27}\b
• sb_secret_[-_a-zA-Z0-9]{27}
• \bLTAI[a-zA-Z0-9]{17,21}\b
• (?i)\beyJhbGciOi[a-z0-9_\-\.]{2,1000}\b

Optional regular expressions

Optional regular expressions include the following:

• US SSN: ^(?P<usssn>[0-9]{3}-[0-9]{2}-[0-9]{4})$

• 10-digit phone number: ^(?P<phone>(\+\d{1,2}\s?)?\(?\d{3}\)?[\s.-]?\d{3}[\s.-]?\d{4}$)

• Email addresses: (?P<email>(?:[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+(?:\.[a-z0-9!#$%&'*+/=?^_\x60{|}~-]+)*|\"(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21\x23-\x5b\x5d-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])*\")@(?:(?:[a-z0-9](?:[a-z0-9-]*[a-z0-9])?\.)+[a-z0-9](?:[a-z0-9-]*[a-z0-9])?|\[(?:(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9]))\.){3}(?:(2(5[0-5]|[0-4][0-9])|1[0-9][0-9]|[1-9]?[0-9])|[a-z0-9-]*[a-z0-9]:(?:[\x01-\x08\x0b\x0c\x0e-\x1f\x21-\x5a\x53-\x7f]|\\[\x01-\x09\x0b\x0c\x0e-\x7f])+)\]))

• American Express card: ^(?P<amexcard>3[47][0-9]{2}[\s,-]?[0-9]{6}[\s,-]?[0-9]{5})$

• BCGlobal card: ^(?P<bcglobalcard>(?:6541|6556)(?:[\s,-]?[0-9]{4}){3})$

• Carte Blanche card: ^(?P<carteblanchecard>389[0-9][\s,-]?[0-9]{6}[\s,-]?[0-9]{4})$

• Diners Club card: ^(?P<dinersclubcard>3(?:0[0-5][0-9]|[68][0-9]{2})[\s,-]?[0-9]{6}[\s,-]?[0-9]{4})$

• Discover card: ^(?P<discovercard>(?:65[4-9][0-9]|64[4-9][0-9]|6011)[\s,-]?(?:[0-9]{4}[\s,-]?){3}|(?:622(?:1[\s,-]?2[6-9]|1[\s,-]?[3-9][0-9]|[2-8][\s,-]?[0-9][0-9]|9[\s,-]?[01][0-9]|9[\s,-]?2[0-5]))(?:[0-9]{2}[\s,-]?[0-9]{4}[\s,-]?[0-9]{4}))$

• Insta Payment card: ^(?P<instacard>63[7-9][0-9](?:[\s,-]?[0-9]{4}){3})$

• JCB card: ^(?P<jcbcard>35[0-9]{2}(?:[\s,-]?[0-9]{4}){3})$

• Korean Local card: ^(?P<koreanlocalcard>9[0-9]{3}(?:[\s,-]?[0-9]{4}){3})$

• Laser card: ^(?P<lasercard>(?:6304|6706|6709|6771)(?:[\s,-]?[0-9]{4}){3})$

• Maestro card: ^(?P<maestrocard>(?:5018|5020|5038|6304|6759|6761|6763)(?:[\s,-]?[0-9]{4}[\s,-]?[0-9]{5}|[\s,-]?[0-9]{6}[\s,-]?[0-9]{5}|(?:[\s,-]?[0-9]{4}){3}(?:[\s,-]?[0-9]{3})?))$

• Mastercard: ^(?P<mastercard>(?:5[1-5][0-9]{2}|2(?:22[1-9]|2[3-9][0-9]|[3-6][0-9]{2}|7[0-1][0-9]|720))(?:[\s,-]?[0-9]{4}){3})$

• Solo card: ^(?P<solocard>(?:6334|6767)(?:[\s,-]?[0-9]{4}){3}(?:[\s,-]?[0-9]{3})?)$

• Switch card: ^(?P<switchcard>(?:4903|4905|4911|4936|6333|6759)(?:[\s,-]?[0-9]{4}){3}|5641[\s,-]?82[0-9]{2}(?:[\s,-]?[0-9]{4}){2}|6331[\s,-]?10[0-9]{2}(?:[\s,-]?[0-9]{4}){2})$

• Union Pay card: ^(?P<unionpaycard>62[0-9]{2}(?:[\s,-]?[0-9]{4}){3})$

• Visa card: ^(?P<visacard>4[0-9]{3}(?:[\s,-]?[0-9]{4}){3})$

• Visa Master card: ^(?P<visamastercard>5[1-5][0-9]{2}(?:[\s,-]?[0-9]{4}){3})$