Easier Collaboration on OAuth 2.0 with Postman
Over the last few years, Postman has evolved to become an API development platform, with the ability to build a request and inspect the response being one of the core features we offer. Authentication is a fundamental part of an API, and since OAuth 2.0 has emerged as one of the most used auth methods, we’ve made a few improvements to make the OAuth 2.0 token generation and retrieval process smooth in a collaborative environment. In this post, we are going to look at some ways we’re making it easier to use OAuth 2.0 through Postman.
Easy access to OAuth token generation information
We want to simplify working with multiple OAuth 2.0 servers through Postman. You can now save the information required to generate an OAuth 2.0 token with the request or collection, and you won’t have to enter these details again when you’re generating a new token. This information will be sharable with the request/collection as well.
When you click on Edit for a folder/collection, under the Authorization tab select Type as “OAuth 2.0.” Now you will find the following details shown below:
This information is helpful when you have multiple requests using different OAuth servers or when you’re sharing a request with someone who needs the details to generate the token.
Pro Tip: OAuth token generation information can contain sensitive data. Like other authentication methods, we encourage you to use environment variables to mask this when sharing the request or collection.
On-demand sharing of OAuth access token
An OAuth token contains sensitive information and should be shared very carefully. You can now optionally choose to share a token with the request or collection. All you have to do is sync the token by clicking the sync icon under the Authorization tab. By default, we will not sync the token. If you don’t sync the token, it will still be present in your local session and can be used by you in the app, but it won’t be stored with the request on Postman cloud.
Another important thing to note here is that you can still generate the token and use it even if you’re not the editor of the request/collection; you will have all the information needed to generate the token. You can also create a new token and use it in your local session. But since you’re the viewer of the collection (and not the editor), you won’t be able to sync it on the Postman cloud. This will give you better access control in using tokens.
Restoring token generation information after upgrade
In the Configure New Token section under the selected OAuth 2.0 auth method, you will see an “Edit Token Configuration” button that will allow you to restore the information you used to generate the token previously. This option will be visible for requests that have OAuth 2.0 method stored within them.
Clicking on the “Edit Token Configuration” button will
Note: The token generation information is not stored with the request/collection. It is stored in the session and can be accessed within the scope of the app. Only when you click on the “Edit Token Configuration” button will it get copied to the request and synced with the collection when the “Save” button is pressed.
Postman allows users to collaborate on building, testing, and managing APIs. These improvements in authorization further collaboration on authorizing requests and managing tokens for multiple OAuth servers. Download the latest Postman app and check out these newest features and more.
Thank Vansh for the blog post. The OAuth addition is great with the interaction and auto retrieval of access_token with authorization code. I have been propagating my access_token for my other requests using pm.set variable in tests and it has helped made the experience easier. I was trying the same method and I’m unable to retrieve the access_token for further processing and my oauth2 also returns and refresh_token that I would like to save and reuse programmatically. Is there a current way access the “Manage Token” tokens somehow so I can retrieve information from the token. Thank you
@huy, right now, there is no way to access the “manage token” modal programmatically. We are looking at ways to improve the workflow around auto-refresh of tokens. Could you help us understand what is your use-case around refresh_token? This will help us design a better solution
It seems to me that authentication data (tokens) should be stored in the environment, not in the Collection. I work with many environments with the same APIs. Postman makes this use case very tangled by having the tokens stored in the Collection.
right now i am using “keycloak”, and using this feature, whenever my acces token expires, i now have to go to my collection -> edit -> authorization -> get new access token….it is kind of expected as i am using PKCE, and then i am shown the GUI in a popup browser to enter credentials….is there anyway to automate this procedure ?
Hi…I wanted to reuse the same token that is generated using Oauth 2.0 across multiple APIs. But I can see it is not possible to store the token as an environment variable. Could you please help sort this out as manually information for every API is not recommended.