Postman’s handling of secrets

A recent look at Postman’s secret and environment variable logging is an important conversation to have with our community and one that we welcome. Privacy and security are critical to building trust with our customers and to Postman’s success, and we therefore value transparency and learning from our customers.

We continually investigate Postman’s internal and customer security posture during our security review processes. For example, during our last cycle, we identified secret and environmental variable data passing through our system without being stored. We began remediating those issues and prior to the fixes hitting production, concerns were brought forth by the community.

Those new tools to better protect users’ secrets are now in production, and I’d like to explain here how we continue to evolve our security posture as it relates to secrets.

Postman’s Secret Type

Launched in January 2022, we addressed vulnerabilities resulting from mistakenly sharing your tokens and secrets to an unintended audience while screen sharing or live streaming by introducing the Secret Variable Type. This feature masked API secrets, keys, tokens, and passwords in Postman to help you avoid threats such as over-the-shoulder attacks. We encourage users to implement this feature and other best practices when working with variables.

However, we noticed that users sometimes used this feature in unexpected ways. Accordingly, in June 2024, we began automatically removing secrets on the Postman API Network identified through our Secret Scanner. Thereafter, in December 2024, we automatically replaced secrets with placeholder values whenever we detected a secret through our workspace scans.

As we informed users then, and repeat now:

• “Public content is scanned for sensitive information every time it is updated. If a secret is detected, we remove it automatically.

• Our system is periodically enhanced to detect new secret types. In these cases, workspace owners have the opportunity to remove their exposed secrets themselves before they’re removed automatically.”

Postman Vault brings additional security

We have since taken steps to increase security by default by launching Vault, which provides an end-to-end encrypted local storage vault within Postman.  Again, we encourage all users to leverage Vault to protect their information.

The future of security at Postman  

At Postman, we are committed to continuously improving our product in areas where we could do better, particularly with respect to the security of your data, including where it is stored and how it gets parsed. We will be making further investments in Postman Vault to ensure potential misconfigurations are disallowed. In the near future, we will also simplify the concepts of local and current values. Ultimately, our aim is that customers don’t need to worry about how their APIs are configured and can focus on what’s important: executing faster.

Postman is committed to working in partnership with our customers to build an API Network that sets the standard for API security and reliability. If you have any questions, feel free to submit a support request, and a member of our team will get back to you. We welcome your feedback and ideas through either our bug bounty program or via email.

Thank you for being a part of our global API Network community!

Sam Chehab, Head of Information Security and IT, Postman