Introducing the Secret Variable Type in Postman
In Postman, variables enable you with data reusability and also foster collaboration when developing and testing API requests. Variables are often used to store sensitive information such as API credentials that are needed in the authentication and authorization of API requests.
With the latest Postman release, we want to empower you to better manage your API secrets, passwords, tokens, and keys. While supporting greater collaboration, this will also help you as an API producer in avoiding vulnerabilities resulting from accidentally or mistakenly sharing credentials with an unknown third party.
We are very excited to announce that along with variable names and values, you will now be able to indicate variable types in environments and globals. The two types we are now supporting with this release are “default” and “secret.”
Users with editor access will be able to create new variables and mark the type on existing variables in environments and globals. If you don’t specify the variable type, Postman will set it as a ‘default’ type and you will be able to use it the same way as you have already been using it. Values of default type variable will be visible in plaintext on the screen.
We are glad to announce that in the future, we plan to extend support for more types to supercharge your variables even further.
Secret variable type and masking
The secret variable type will enable masking of the initial and current values. Today, when you use variables to store credentials, the values can be seen in plain text on the screen by you and others. With this update, we address vulnerabilities resulting from mistakenly sharing your tokens and secrets to an unintended audience while screen sharing or livestreaming. Masking your sensitive data will also help you avoid threats such as over-the-shoulder attacks.
As a comprehensive API platform meant to foster collaboration, we also want to make sure security remains tight amongst users during collaboration. So, once you set a variable as a secret type, we will mask it for all workspace members. Changing the type from secret to default will result in removing masking on the values for all workspace members.
Creating and converting a variable to a secret type is available to any user who has edit rights on the environment and globals. Moreover, workspace members will also be able to view the value by toggling the eye icon.
Postman has long been committed to securing your data by encrypting and storing all your environment information. With this update, we are taking it a step further so that your data remains safe while you and your team are more productive.