Easier Collaboration on OAuth 2.0 with Postman

Reading Time: 3 minutes

Over the last few years, Postman has evolved to become an API development platform, with the ability to build a request and inspect the response being one of the core features we offer. Authentication is a fundamental part of an API, and since OAuth 2.0 has emerged as one of the most used auth methods, we’ve made a few improvements to make the OAuth 2.0 token generation and retrieval process smooth in a collaborative environment. In this post, we are going to look at some ways we’re making it easier to use OAuth 2.0 through Postman.

Easy access to OAuth token generation information

We want to simplify working with multiple OAuth 2.0 servers through Postman. You can now save the information required to generate an OAuth 2.0 token with the request or collection, and you won’t have to enter these details again when you’re generating a new token. This information will be sharable with the request/collection as well.

When you click on Edit for a folder/collection, under the Authorization tab select Type as “OAuth 2.0.” Now you will find the following details shown below:

Configuring a new oauth 2.0 token in postman
Token generation information under Authorization tab in Postman

This information is helpful when you have multiple requests using different OAuth servers or when you’re sharing a request with someone who needs the details to generate the token.

Pro Tip: OAuth token generation information can contain sensitive data. Like other authentication methods, we encourage you to use environment variables to mask this when sharing the request or collection.

On-demand sharing of OAuth access token

An OAuth token contains sensitive information and should be shared very carefully. You can now optionally choose to share a token with the request or collection. All you have to do is sync the token by clicking the sync icon under the Authorization tab. By default, we will not sync the token. If you don’t sync the token, it will still be present in your local session and can be used by you in the app, but it won’t be stored with the request on Postman cloud.

Sync access token by clicking the sync icon beside the Access Token field

Another important thing to note here is that you can still generate the token and use it even if you’re not the editor of the request/collection; you will have all the information needed to generate the token. You can also create a new token and use it in your local session. But since you’re the viewer of the collection (and not the editor), you won’t be able to sync it on the Postman cloud. This will give you better access control in using tokens.

Disabled sync feature
Sync disabled for users who don’t have the editor role

Restoring token generation information after upgrade

In the Configure New Token section under the selected OAuth 2.0 auth method, you will see an “Edit Token Configuration” button that will allow you to restore the information you used to generate the token previously. This option will be visible for requests that have OAuth 2.0 method stored within them.

Copying the token generation information in Postman
Edit Token Configuration button in Configure New Token section

Clicking on the “Edit Token Configuration” button will

Note: The token generation information is not stored with the request/collection. It is stored in the session and can be accessed within the scope of the app. Only when you click on the “Edit Token Configuration” button will it get copied to the request and synced with the collection when the “Save” button is pressed.

Postman allows users to collaborate on building, testing, and managing APIs. These improvements in authorization further collaboration on authorizing requests and managing tokens for multiple OAuth servers. Download the latest Postman app and check out these newest features and more.

What do you think about this topic? Tell us in a comment below. You can also give product feedback through our Community forum and GitHub repository.




Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like: