Announcing automatic removal of secrets on the Postman API Network

The Postman Team

Updated on March 13, 2025

We are humbled by the global adoption of the Postman API Network in recent years. Having grown from just a few hundred APIs to more than 100,000, it has become the world’s largest public API hub.

We recognize that with the scale of the API Network comes great responsibility to safeguard our users’ secrets. That’s why at POST/CON 24, we launched Guided Auth for public APIs. This helps consumers get started faster and more securely with a one-click auth flow that places their secrets in their Postman Vault. But there’s more to be done.

As Postman users have created more and more content on the network, we’ve seen an increase in the volume of secrets included in public workspaces—from API keys and passwords to authorization tokens. Although we’ve seen well-intended use cases—such as sharing secrets to simplify authorization or educate consumers on the type of secret to use—we believe that you don’t need to distribute secrets to distribute APIs.

In June 2024, we started removing public workspaces with known exposed secrets from the network. While this was effective, it created extra work for publishers to secure their workspaces and removed a lot of valuable content.

To make things simpler, in December 2024, we began automatically replacing secrets with placeholder values without taking the workspace down. These automatic replacements are triggered whenever a secret is detected during a workspace scan.

Here’s what you should know:

  • Public content is scanned for sensitive information every time it is updated. If a secret is detected, we remove it automatically.
  • Our system is periodically enhanced to detect new secret types. In these cases, workspace owners have the opportunity to remove their exposed secrets themselves before they’re removed automatically.

Team admins are notified in-app and via email with the relevant details to ensure they can revoke the exposed credentials and take steps to prevent similar occurrences in the future.

Postman is committed to building an API Network that sets the standard for API security and reliability. These policy changes create a safer and more secure environment for all our users by protecting the sensitive information of both API publishers and consumers. We understand that these changes may require you to make some adjustments, and we’re here to support you throughout this transition. If you have any questions, feel free to submit a support request, and a member of our team will get back to you.

Thank you for being a part of our global API Network community!

Tags:

The Postman Team

Today, more than 30 million developers use the Postman API Platform. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs—faster.

View all posts by The Postman Team →

What do you think about this topic? Tell us in a comment below.

Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.

You might also like

Secure by design: Introducing Postman Spec Hub and BYOK encryption

The demand for “better APIs, faster” has reached a fever pitch in engineering offices around the globe since the sharp rise in AI…

Read more →

Agentic AI: the rise of agents

Last year, I shared our perspective on the generative AI wave and its implications for the future of software. While even a…

Read more →