Today we announced a new beta version of Postman that we’ve been working on to address a wide range of requests from our fantastic user community: Postman on the web. (We encourage you to read the launch blog post here.)
But bringing Postman to the web wasn’t as easy as simply building a browser-based UI. We needed to overcome a fundamental limitation of browser architectures to truly bring the Postman experience to the web.
The limitation of cross-origin resource sharing (CORS) in browsers
Modern browsers are great for humans surfing websites, but they have limitations when it comes to pulling data from APIs across many different domains. Leading browsers like Chrome and Firefox restrict how data is exchanged between different internet domains, limiting requests to the domain you have loaded in the address bar. This feature protects website users from malicious activity, but it is also something that negatively impacts one of the core capabilities of web APIs: the accessing of data, content, media, and algorithms across a variety of domains.
In the early days of Postman, these challenges with CORS while working with APIs in the browser quickly pushed Postman from the web to the desktop, resulting in the Windows and Mac versions of the Postman app that developers depend on today.
In our journey back to the web, the CORS limitation was a fundamental, ongoing issue that hindered our ability to bring an amazing API developer experience to the browser. We needed a new approach to solve this issue, and so the Postman engineering team got to work to find a breakthrough.
Introducing the Postman agent
To allow developers to make API requests on the web as part of this latest release, we had to find a way to get around these browser limitations. This work resulted in us developing the Postman agent.
The Postman agent is a micro-application that runs locally on your desktop and acts as your agent for making API calls on your behalf. To overcome limits in the browser, the Postman web interface will now route API calls to the local agent, and the agent will make API requests locally on your behalf, using your local profile, configuration, and network to make each request and pass the response back to the web interface. The Postman agent enables you to bypass the limitations that exist in the browser—while maximizing the access that exists locally on your desktop—by allowing API requests to originate in the browser, but be routed through your local machine and network, and back again.
The first time you visit https://go.postman.co/build to make requests using Postman on the web you’ll be prompted to download the Postman agent for your operating system. Once it is downloaded, installed, and switched on in the Postman web application, API requests will begin being routed locally to the agent, which will work with the Postman agent service (PAS) to make each API request, and coordinate with the web application interface.
The Postman agent employs a TCP connection using WebSockets to publish and subscribe to a JSON payload that uses our internal collection execution protocol. The above diagram breaks down how the Postman agent works with the agent service to securely route API requests to be executed locally, then also makes sure the response gets routed back to the web application. (Making API calls using Postman in the browser is currently in beta, and so is the Postman agent.)
We also want to let you know that we’ve implemented fully encrypted connections, but have not turned that encryption on for the beta release. The reason for that is we wanted beta users to be able to get up and running without having to deal with certificate issues.
Try the Postman agent out and give us your feedback
To help move things forward with the web version of Postman and the Postman agent, we’d like to get your feedback. We need to understand where you manage your APIs, and where you would run your agents. We’re looking to understand how you’re consuming and building your APIs, and how we can help you optimize each aspect of your operations. We encourage you to test-drive the new release here, and give us your feedback here.
We don’t expect that you’ll immediately move all of your API requests to the web and abandon the relationship you’ve developed with the desktop edition of Postman, but we’d love to explore with you what’s possible when you start separating the different aspects of your API operations. Ultimately, we want to work with you to help you decide how to best optimize what runs in the cloud, what runs on your desktop, and where else you need to be executing collections to orchestrate and automate using the internal, partner, and public APIs you depend on across the enterprise.