Skip to content
Postman API Testing Tips

How To Get Access Token Using Authorization Code In Postman

API Testing Blog

Getting an Access Token Using Authorization Code Flow in Postman

The Authorization Code Flow is a robust authentication method for securing APIs. It’s especially useful when your application requires a high level of security or when you’re dealing with sensitive data. This guide will walk you through how to obtain an access token using the Authorization Code Flow in Postman.

Understanding the Authorization Code Flow

  1. User Authorization: The user starts the process by initiating a request to your application’s authorization server, usually through a login screen.
  2. Authorization Code Request: Your application sends a request to the authorization server, including:
    • Client ID: A unique identifier for your application.
    • Redirect URI: The URL where the authorization server will redirect the user after authorization.
    • Scope: The permissions your application needs to access.
  3. User Consent: The authorization server presents the user with a consent dialog, requesting permission to grant your application access to their data.
  4. Authorization Code: Upon successful authorization, the user is redirected to your application’s Redirect URI, along with an authorization code. This code is a temporary token that represents the user’s consent.
  5. Access Token Request: Your application exchanges this authorization code for an access token by making a request to the authorization server’s token endpoint.
  6. Access Token Issuance: The authorization server verifies the code and issues an access token to your application. This token allows you to access the protected resources on the API’s behalf.

Using Postman for Access Token Acquisition

Step 1: Configuring Your Postman Environment

  1. Open Postman and create a new environment.

  2. Add the following variables to your environment:

    • client_id: Your application’s client ID
    • client_secret: Your application’s client secret
    • redirect_uri: The redirect URI you configured for your application
    • authorization_endpoint: The URL of your API’s authorization endpoint
    • token_endpoint: The URL of your API’s token endpoint

Step 2: Requesting an Authorization Code

  1. Create a new request in Postman.
  2. Set the request method to GET.
  3. Enter the authorization_endpoint variable in the request URL.
  4. Add the following query parameters to the request URL:
    • client_id={{client_id}}
    • redirect_uri={{redirect_uri}}
    • scope=your_desired_scopes
  5. Send the request.
  6. You will be redirected to your application’s Redirect URI with an authorization code in the query string.

Step 3: Exchanging the Code for an Access Token

  1. Create a new request in Postman.
  2. Set the request method to POST.
  3. Enter the token_endpoint variable in the request URL.
  4. Set the Content-Type header to application/x-www-form-urlencoded.
  5. Add the following parameters to the request body:
    • grant_type=authorization_code
    • client_id={{client_id}}
    • client_secret={{client_secret}}
    • code={{Authorization Code}} (replace this with the actual code received in the previous step)
    • redirect_uri={{redirect_uri}}
  6. Send the request.

Now, you will receive a response containing the access token and other relevant information, like the refresh token to obtain new access tokens if the old one expires.

Sample Code Snippet:

// Get authorization code
pm.test("Get authorization code", () => {
  pm.response.to.have.status(302);
  pm.response.to.have.header("location");
  pm.expect(pm.response.headers.location).to.contain("code=");
});


// Extract authorization code from redirect URL
let authCode = pm.response.headers.location.split("code=")[1].split("&")[0];


// Request access token
pm.test("Request access token", () => {
  pm.environment.set("authCode", authCode);


  pm.sendRequest({
    url: pm.environment.get("token_endpoint"),
    method: "POST",
    headers: { "Content-Type": "application/x-www-form-urlencoded" },
    body: {
      grant_type: "authorization_code",
      client_id: pm.environment.get("client_id"),
      client_secret: pm.environment.get("client_secret"),
      code: pm.environment.get("authCode"),
      redirect_uri: pm.environment.get("redirect_uri")
    }
  });


  pm.response.to.have.status(200);
  pm.response.to.have.body("access_token");
});

Accessing Protected Resources

Once you have the access token, you can use it to access protected resources on the API. In Postman, simply add the access token to the Authorization header of your requests.

Example: Accessing a protected endpoint:

pm.test("Access protected endpoint", () => {
  pm.sendRequest({
    url: "https://api.example.com/protected/resource",
    method: "GET",
    headers: {
      Authorization: "Bearer " + pm.response.json().access_token
    }
  });


  pm.response.to.have.status(200);
  pm.response.to.have.json();
});

Important Considerations

  • Scopes: Carefully define the scopes your application needs to access in the initial authorization request. You should only request the permissions you absolutely require.
  • Token Expiration: Access tokens typically have a finite lifespan. Make sure to handle token expiration gracefully and implement a mechanism to refresh the token when needed.
  • Security: Always ensure that your authorization server and the token exchange process are secure to prevent unauthorized access to your API.

By following these steps and considering the best practices, you can effectively implement the Authorization Code Flow in Postman for securing your API.

API Testing Blog