# Securely using API keys in Postman

***Last updated on March 20, 2023.*** If you work with APIs, then you already know there's many ways to prove your identity and gain access to an API, such as [API keys](https://blog.postman.com/what-is-an-api-key/). To help you use API keys as effectively as possible, let’s walk through some common pitfalls we see come up, and learn how to handle sensitive data in Postman. I’m going to reference the Postman tutorial called [Securely Using API Keys](https://www.postman.com/postman/postman-team-collections/collection/3suzqt9/securely-using-api-keys-in-postman). If you want to join along in Postman with more detailed explanations, import the full tutorial [here](https://www.postman.com/postman/postman-team-collections/collection/3suzqt9/securely-using-api-keys-in-postman) and follow the step-by-step documentation. Let's look at three ways to securely work with API keys. Build your own example by following this step-by-step tutorial, or fork the example collection and environment in [this workspace](https://www.postman.com/postman/workspace/postman-team-collections/overview) to follow along. - Fork the [example collection](https://www.postman.com/postman/workspace/postman-team-collections/collection/1559645-3118cfc8-97a9-4133-a5c7-093784d50d20): Securely using API keys in Postman
- Fork the [example environment](https://www.postman.com/postman/workspace/postman-team-collections/environment/1559645-8157cb13-916b-43bd-ba9b-40cc9c465c68): Securely using API keys in Postman
 
### \#1: Do not embed your API keys directly in code

 ![Do not embed API keys directly in code](https://blog.postman.com/wp-content/uploads/2020/06/tip_1-1000x494.png) Instead of hard-coding your API keys, you can store them as [variables](https://learning.postman.com/docs/sending-requests/variables/) in Postman. In the same way you use variables for parameterized data, you can also use variables to decouple your secrets from the rest of your code. Storing your API key as a variable allows you to revoke, or refresh, the value in a single spot. There are different [variable scopes](https://learning.postman.com/docs/sending-requests/variables/#variable-scopes) to suit different use cases. Let's follow an example to store an API key as an environment variable. Using Postman environments allows you to decouple specific variables so they can be used alongside different collections and shared separately with other team members and collaborators. [Create an environment](https://learning.postman.com/docs/sending-requests/managing-environments/#creating-environments) and add an environment variable called `api_key`, and **Save** your changes. ![How to Use API Keys Tip: Create a Postman environment](https://blog.postman.com/wp-content/uploads/2020/06/create_env-1000x550.png) Postman displays the active environment in the environment selector, located in the top right of the workbench. You can also access all environments from **Environments** in the sidebar and select the set active icon next to an environment to make it the active environment. ![select an active environment](https://blog.postman.com/wp-content/uploads/2020/06/set_active-1000x550.png) Variables can be referenced in text fields with double curly braces, as you can see here with the **Authorization** tab. Hover over the variable name to inspect the variable's value and scope. ![curly braces to reference variables](https://blog.postman.com/wp-content/uploads/2020/06/auth_method-1000x627.png) Variables can also be referenced in script fields, such as by using `pm.environment.get()`:![scripts to reference variables](https://blog.postman.com/wp-content/uploads/2020/06/script-1000x490.png)### \#2: Do not share your API keys with your team

 ![](https://blog.postman.com/wp-content/uploads/2020/06/initial-current-values.png) If you’re sharing an environment with your team, keep your tokens private by only updating the current value. This also ensures that you don’t override the team’s value. For global, collection, and environment variables, you can distinguish between [an initial and current value](https://learning.postman.com/docs/postman/variables-and-environments/managing-environments/#adding-environment-variables). The current value is local to your session within your Postman app. If you log out of Postman, those values will disappear. The current value is never synced to your account or shared with your team—unless you choose to persist it—which keeps it more secure. Let’s walk through an example in which I share an environment with my team without sharing my personal API key. [Share the environment ](https://learning.postman.com/docs/postman/variables-and-environments/managing-environments/#working-with-environments-as-a-team)with your team by moving it to a team workspace: ![move environment to team workspace](https://blog.postman.com/wp-content/uploads/2020/06/team-1000x550.png) Initial values are accessible to your team in the workspace. For example, if you want to share information like a base URL of `https://api.getpostman.com` for your API, those initial values will be accessible to the team. If someone with an environment editor role updates that initial value to v2 of the API like `https://api.getpostman.com/v2`, the updated initial value is shared with the team: ![initial values are accessible to team members](https://blog.postman.com/wp-content/uploads/2020/06/baseurl-1000x550.png) Current values are restricted to your session within your Postman app. If you log out and log back into Postman, those values will be gone. The current value is never synced to your account or shared with your team—unless you choose to persist it. When you’re working with a team, you can keep your private information as a current value so your team doesn’t have access to it. Current values are restricted to your session: ![current values are restricted to the session](https://blog.postman.com/wp-content/uploads/2020/06/current-1000x550.png) You can also define environment variables by **Type**. Variables are automatically assigned the default type when created, which is shown as plain text and has no extra properties. Users with editor role can change sensitive variables to [secret type](https://learning.postman.com/docs/sending-requests/variables/#variable-types), which masks the initial and current values for all workspace members. Secret type can be used to prevent unintentional disclosure of sensitive data, including API secrets, passwords, tokens, and keys. ![secret type of variable](https://blog.postman.com/wp-content/uploads/2020/06/secret-1000x550.png)### \#3: Do not leak your API keys publicly

 ![](https://blog.postman.com/wp-content/uploads/2020/06/placeholders.png) If you're sharing [Postman-generated documentation](https://learning.postman.com/docs/publishing-your-api/documenting-your-api/) with your team, or especially publicly, make sure you don't accidentally leak secrets. Let's walk through an example in which I [publish my API documentation](https://learning.postman.com/docs/publishing-your-api/publishing-your-docs/) publicly without leaking secrets. Use placeholder text for your API key's value. Postman relies on string substitution to render the initial values of environment values in the documentation. Display a dummy token or placeholder text—like `your-nasa-key` seen in the next image—to indicate what value to use. (Note: If you leave the value blank, Postman will display no information in the rendered web documentation.) ![](https://blog.postman.com/wp-content/uploads/2020/06/placeholder-1000x561.png) When you’re ready to publish the collection and environment, go ahead and [preview the documentation](https://learning.postman.com/docs/postman/api-documentation/publishing-your-docs/#configuring-your-public-docs) to scan for secrets. Postman will warn you about anything that appears to be a sensitive token, so you can make any updates before publishing the documentation: ![](https://blog.postman.com/wp-content/uploads/2020/06/preview-1024x654.png)### Three takeaways to keep your secrets safe

 To sum it all up, when you’re using API keys, keep your secrets safe with Postman by following these three tips: - - Store API keys in variables
    - Use initial and current values
    - Use placeholders to show users what info is required
 
 ![](https://blog.postman.com/wp-content/uploads/2020/06/tip_all-1000x831.png) For more on API keys and security, see our “[How We’re Protecting Your Postman API Keys in GitHub](https://blog.postman.com/how-were-protecting-your-postman-api-keys-in-github/)” blog post. You can also check out Google’s [best practices for securely using API keys](https://support.google.com/googleapi/answer/6310037) in Google Cloud Platform (GCP) applications.