Top 10 questions I hear from Postman users

Avatar

Every Postman user is unique. As a Postman solutions engineer, my job is to be a trusted advisor offering users a tailored solution that fits their specific business needs. This means that I need to understand each individual or team’s existing API workflows to determine how Postman can best support them.

In this blog post, I’ll highlight the top 10 questions I commonly hear from potential and current Postman API Platform customers.

1. Where does Postman host its data?

Our infrastructure runs on AWS, and each customer’s data is logically segregated from others. Users of the old Postman Scratch Pad can now collaborate with their teams using workspaces by following these instructions to migrate to the Postman Cloud.

2. What data is stored in the Postman Cloud?

Any customer-configurable data you define in Postman within Postman Collections and environment variables with Initial Values are synced to the Postman Cloud. Postman acts as a processor and stores this data encrypted at rest in the Postman Cloud. We strongly recommend avoiding storing sensitive data and refer users to our shared responsibility model for recommendations on handling sensitive data in Postman. The user’s email address is the only mandatory field we capture when creating an account in Postman. This is the only case where Postman acts as a controller in the sense of GDPR. Values stored within the Current Value fields or within a vault supported by Postman are not synced to the Postman Cloud.

3. What are some guidelines to prevent PII or any sensitive data from being sent to the Postman Cloud?

We recommend using dummy data in your request and leveraging the use of faker library to generate random sample data for testing. We also recommend using data files like CSV/JSON that contain any request data when executing a collection run. Administrators can also leverage the Secret Scanner to identify any secrets that may have inadvertently been exposed and can configure custom regular expression patterns within the Secret Scanner dashboard to detect your team’s proprietary tokens and/or any third-party app tokens that aren’t scanned by default.

4. What are some guidelines when using API keys and authentication credentials in Postman?

We recommend using Postman Vault to store secrets, such as API keys and other sensitive information. The Advanced Security Administration add-on to the Postman Enterprise plan supports integrations to fetch secrets stored in external vault providers which include Azure Key Vault, Hashicorp Vault, 1Password, or AWS Secrets Manager.

We recommend using Postman Vault for the following reasons:

  • Secrets are encrypted before being stored locally.
  • Secrets are available across all your workspaces.
  • Vault secrets are masked when they are logged to the Postman console.
  • Vault secrets can be enabled/disabled allowing greater flexibility while being secure.
  • Vault secrets can be restricted to resolve only for specific domains, preventing inadvertently sharing secrets with the wrong API.

Please note that if you wish to share API keys with other members within your workspace, you can utilize environment variables. By setting the Initial Value column of an environment variable, data will be synchronized to Postman Cloud.

5. Is there a seamless way to import collection or OpenAPI Specs in Postman?

Yes, Postman supports the import of an OpenAPI Spec and auto-creation of Postman assets from a spec—including collections, mocks, monitors, environment variables, and more. Please refer to the Postman Scaffolding API for details. Postman also supports importing a collection JSON from an external source code repository like GitHub/GitLab.

6. What are some best practices for team collaboration within Postman?

You can leverage many collaboration features, including Postman teams, team discovery, team workspaces, and commenting to discuss and collaborate on your work within a secure environment. We also recommend using Postman’s internal version control features to perform operations like forking, merging, pull changes and PRs all directly within Postman without the need to integrate to an external repository.

7. What are some of the best practices for testing with Postman?

You can automate your test cases within your CI/CD pipeline. We support integrations with common CI tools to streamline your QA process by viewing the status of build execution runs all from within Postman. We recommend utilizing mock servers to simulate the behavior of an API by returning predefined example responses. We also recommend utilizing Postman Monitors to schedule the execution of a collection run at a configurable time interval and enable email or Slack team notifications on monitor run results. When automating your runs, please feel free to leverage Postman’s built-in functions to customize your workflows and enable chaining requests, stop execution, and more. Last but not least, Postman’s AI assistant, Postbot, can help accelerate your test creation steps by leveraging AI to write tests, visualize responses, and auto-complete your test code.

8. Can I generate documentation of my API collection using Postman?

Yes, as you make updates to your requests or add a new request, documentation is dynamically generated in Postman. You can also use Postbot to generate collection documentation instantly.

9. Does Postman expose an internal portal for stakeholders to discover and consume assets?

Yes, one of the most important aspects of API development is discoverability and reusability. By using the Postman Private API Network, you can enable developers across your organization to discover, consume, and track API development in one place. Assets in the Private API Network—collections, workspaces, and more—are visible to users who are on your Postman team.

10. Lastly, what are the main features Postman offers enterprises?

Some main features included in the Postman Enterprise plan include:

  • Single sign-on with external authentication providers
  • User provisioning via SCIM
  • Role-based access control (RBAC) and user groups
  • The Postman Private API Network for discoverability
  • Partner Workspaces to collaborate with external partners
  • Admin controls like audit logs, management of public elements, the Postman Secret Scanner, and more
  • A dedicated customer success team to ensure your success

You can see all the latest Postman capabilities now available with the release of Postman v11!

 

What do you think about this topic? Tell us in a comment below.

Comment

Your email address will not be published. Required fields are marked *


This site uses Akismet to reduce spam. Learn how your comment data is processed.