Announcing security updates to the Public API Network: new secret-protection policy
We are humbled by the global adoption of Postman’s Public API Network in recent years. Having grown from just a few hundred APIs to more than 100,000 APIs, it has become the world’s largest public API hub.
We recognize that with the scale of the Public API Network comes great responsibility to safeguard our users’ secrets. That’s why at POST/CON 24, we launched Guided Auth for public APIs. This now helps consumers get started faster and more securely with a one-click auth flow that places their secrets in their Postman Vault. But there’s more to be done.
As Postman users have created more and more content on the Public API Network, we’ve seen an increase in the volume of secrets included in public workspaces—from API keys and passwords to authorization tokens. Although we’ve seen well-intended use cases—such as sharing secrets to simplify authorization or educate consumers on the type of secret to use—we believe that you don’t need to distribute secrets to distribute APIs.
Postman’s Secret Scanner currently alerts publishers with in-app notifications and emails when their public workspaces include secrets. We also provide guidance on revoking exposed secrets and removing them from public workspaces. But this is no longer enough. As such, we are now taking new measures to further protect the security of the Public API Network community.
Starting this month, we are removing public workspaces with known exposed secrets from the Public API Network. As we roll out this policy change, owners of public workspaces containing secrets will be notified and have the opportunity to remove their exposed secrets before that workspace is removed from the network. If your public workspace contains secrets, you’ll receive an email from Postman with step-by-step guidance on how to resolve them.
Any public workspaces that still contain secrets after the deadline provided in the official email notification will be removed from the Public API Network:
-
Public workspaces owned by teams will become team workspaces.
-
Public workspaces owned by individuals will become personal workspaces.
What if you miss the email notification? Don’t worry, publishers can take corrective action at any time after receiving the email. Once you have removed secrets from your workspace, you can make it public again.
Postman is committed to building a Public API Network that sets the standard for API security and reliability. These policy changes create a safer and more secure environment for all our users by protecting the sensitive information of both API publishers and consumers. We understand that these changes may require you to make some adjustments, and we’re here to support you throughout this transition. If you have any questions, feel free to submit a support request, and a member of our team will get back to you.
Thank you for being a part of our global Public API Network community!
What do you think about this topic? Tell us in a comment below.