Skip to content
Postman API Testing Tips

How To Generate Token Using Postman

API Testing Blog

Obtaining an Authentication Token Using Postman

Authentication tokens are essential for securing API access and verifying user identities. Postman is a powerful tool that can be used to streamline the process of generating and using these tokens.

Understanding Authentication Tokens

Before diving into token generation, let’s clarify what an authentication token is. It’s a small piece of data that acts as a temporary credential, allowing a client application to access protected resources on a server. Popular authentication methods using tokens include:

  • OAuth 2.0: A standardized protocol commonly used for web applications and APIs.
  • JWT (JSON Web Token): A standard for securely transmitting information between parties as a JSON object, often used in authentication and authorization.

Obtaining Tokens Using Postman: A Step-by-Step Guide

Let’s explore how to generate tokens using Postman, focusing on OAuth 2.0 and JWT.

1. OAuth 2.0 Token Generation

Example: Google API

Step 1: Set Up Your Request:

  • Create a new request in Postman.
  • Set the request method to POST.
  • Enter the OAuth 2.0 authorization server URL in the URL field. For Google, this is https://accounts.google.com/o/oauth2/token.

Step 2: Configure OAuth 2.0 Settings:

  • Navigate to the Authorization tab in Postman.
  • Select “OAuth 2.0” as the type.
  • Grant Type: Specify the grant type. For obtaining an access token, use “Authorization Code”.
  • Callback URL: If necessary, enter a callback URL (where Postman will receive a code from the OAuth server). If you’re testing, you can use http://localhost or a similar temporary URL.
  • Client ID: Enter your client ID (provided by the API provider).
  • Client Secret: Enter your client secret.
  • Scope: Specify the permissions your application needs (e.g., “profile”, “email”).
  • Token Name: Assign a name to the token variable for later use (e.g., “access_token”).

Step 3: Send the Request:

  • Click the “Get New Access Token” button.
  • Postman will navigate to the OAuth server to authorize your application.
  • Provide the necessary credentials if prompted.
  • After authorization, Postman will retrieve the access token and store it in the specified token variable.

Step 4: Using the Token:

  • In subsequent requests to the API, add the access token in the Authorization header. The header value should be Bearer <your_access_token>.

Example Code:

// Example Google OAuth 2.0 request body
{
  "client_id": "<YOUR_CLIENT_ID>",
  "client_secret": "<YOUR_CLIENT_SECRET>",
  "grant_type": "authorization_code",
  "code": "<AUTHORIZATION_CODE>", // Replace with received code
  "redirect_uri": "http://localhost" // Example callback URL
}

2. JWT Token Generation

Example: Custom API

Step 1: Set Up Your Request:

  • Create a new POST request in Postman.
  • Set the URL to the endpoint on your server that handles JWT token generation.
  • In the Body tab, select “raw” and choose “JSON” as the data type.

Step 2: Provide Authentication Credentials:

  • Add your credentials (username and password) to the request body as JSON:
{
  "username": "<YOUR_USERNAME>",
  "password": "<YOUR_PASSWORD>"
}

Step 3: Send the Request:

  • Send the request to your server.

Step 4: Handle the Response and Extract the Token:

  • If the server successfully authenticates the user, it will send back a JWT token in the response. You can extract the token using Postman’s response parser.

Example Code:

// Example JWT token response
{
  "token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VybmFtZSI6ImFkbWluIiwiaWF0IjoxNjg2MTEwNjM2LCJleHAiOjE2ODYxOTcwMzZ9.p8-1Y2X8q0h79f9Y7g352Y8F54nG68c0Ezn_jW1oI"
}

Step 5: Using the JWT Token:

  • Add the token to the Authorization header in subsequent requests to the API. Use the Bearer scheme:
Authorization: Bearer <your_jwt_token>

3. Generating Tokens using the API Provider’s Documentation

  • Always refer to the API provider’s documentation for the most accurate information on token generation for their specific API. It will often include:
    • Endpoint URLs
    • Required authentication parameters
    • Response format

4. Using Environment Variables and Tokens in Postman

  • Environment Variables: Store sensitive information (like client IDs and secrets) in environment variables for security and organization.
  • Tokens: Use variables to store and manage tokens obtained from authentication requests. You can reuse tokens across multiple requests within a collection.

5. Tips for Secure Token Handling

  • Never expose client secrets or access tokens in the frontend.
  • Use environment variables for sensitive data instead of hardcoding them into requests.
  • Store tokens securely and set appropriate expiry times.

By following these steps and guidelines, you can effectively generate and manage authentication tokens within Postman, enabling secure access to APIs and streamlining your API testing workflow.

API Testing Blog