At Postman, over the past year, we’ve introduced several new features to ease the collaboration between multiple stakeholders during the API development lifecycle. The launch of Postman public workspaces gave users access to a massively multiplayer API experience across the entire Postman ecosystem. It was the most significant release to date, demonstrating our commitment to enable users to collaborate on APIs seamlessly.
With easier collaboration, it is important to have the right security controls to prevent excessive data exposure. To ensure that API collaborators are not caught off guard, we developed the Postman token scanner to regularly check for sensitive information in Postman public workspaces and Postman public documentation.
We understand that users and organizations using Postman follow different workflows, development tools, and internal credentials for their API development. Keeping this in mind, we’ve made some improvements to the Postman token scanner, to ease the lives of our users and enable organizations to improve governance of public exposure of such sensitive data.
Custom alerts for token scanner
You can now set up custom alerts for your team by accessing the Token Scanner section of the “Team Settings” within Postman and providing the details of a sensitive token for which you’d like to keep an eye out.
Note: Custom alerts are available for use only for Postman users having an active enterprise license.
Navigating to the “Token Scanner” section of Team Settings
You can add up to five custom alerts for the Postman token scanner by clicking the “Add alert” button on the screen. For setting up each custom alert you need to provide the following
Name: The name of the sensitive token that will be monitored using this custom alert.
Type: The type of sensitive token that this custom alert will monitor.
Regular expression: The regular expression that the Postman token scanner will use to identify sensitive tokens of this type.
Sample token: A sample sensitive token that you’d like captured using this custom alert.
Adding a new custom alert for your team
You can also disable these alerts using the toggle for the respective alerts if you’d like to stop monitoring a particular token for a short time period, and enable it again when you’d like to resume monitoring the token.
Enabling/disabling an existing custom alert
Once you configure and enable a custom alert, your team will become eligible to receive email notifications whenever sensitive tokens tracked by the alert are exposed. As soon as a member of your team adds such a token to your publicly facing Postman resources (i.e, a Postman public documentation or a Postman public workspace), they will receive an email notifying them about this, as shown below:
At Postman, we’re constantly striving to develop better features and improvements to help you enforce the right security controls for you and your team. Check out the Postman Security public workspace, which contains more helpful resources.