Skip to content
Postman API Testing Tips

How To Get Access Token Using Postman

API Testing Blog

Getting Access Tokens Using Postman for API Testing

Access tokens are essential for authenticating requests to protected APIs. Postman provides a user-friendly interface for acquiring and managing these tokens, making your API testing workflow more efficient. This guide will walk you through different methods of obtaining access tokens using Postman and explore practical examples.

1. Obtaining Access Tokens via Authorization Code Flow

The Authorization Code Flow is a standard OAuth 2.0 procedure for obtaining access tokens. It uses a secure handshake between your application and the authorization server to exchange credentials for access rights.

Step 1: Configure the Authorization Request in Postman

  • Start by setting up a new request in Postman, usually a POST request targeting the authorization server’s endpoint for receiving authorization codes.
https://auth-server.example.com/oauth/authorize
  • Add necessary parameters in the request body:
    • client_id (Your application’s identifier)
    • redirect_uri (The URL where the user will be redirected after authorization)
    • response_type (Set this to code)
    • scope (Specify the permissions your application needs)
{
  "client_id": "YOUR_CLIENT_ID",
  "redirect_uri": "https://your-app.example.com/callback",
  "response_type": "code",
  "scope": "read write"
}

  • Select “Authorization” tab and choose “OAuth 2.0” from the dropdown list.

  • Click “Get New Access Token” and configure the following:

    • Grant Type: authorization_code
    • Auth URL: Your authorization server’s URL (Same as in the request URL)
    • Access Token URL: This is the endpoint of the authorization server for exchanging authorization codes for access tokens.
    • Client ID: Your application’s identifier.
    • Client Secret: Your application’s secret.
    • Redirect URI: Same as the redirect_uri in the request body.
    • Scope: Same as specified in the request body.

  • Execute the request: This will redirect you to a login prompt. After successful authentication, the authorization server will redirect you back to the redirect_uri with the authorization code in the URL.

Step 2: Exchange the Authorization Code for an Access Token

  • Copy the authorization code from the redirect URL.
  • Create a new POST request in Postman targeting the Access Token endpoint.
  • Add the following parameters in the request body:
    • grant_type: authorization_code
    • code: The authorization code you copied.
    • client_id: Your application’s identifier.
    • client_secret: Your application’s secret.
    • redirect_uri: Same as the one used in the authorization request.
{
  "grant_type": "authorization_code",
  "code": "YOUR_AUTHORIZATION_CODE",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "redirect_uri": "https://your-app.example.com/callback"
}
  • Execute the request: You will receive a response containing your access token.

Step 3: Store and Utilize the Access Token

  • Store the access token in a secure location for use in subsequent API calls.
  • Use the access token in subsequent requests by adding it as an Authorization header with the Bearer schema:
    • Authorization: Bearer YOUR_ACCESS_TOKEN

2. Obtaining Access Tokens via Client Credentials Flow

The Client Credentials Flow is suitable when your application is acting on its own behalf, without user interaction.

Step 1: Configure the Request

  • Create a new POST request in Postman targeting the authorization server’s Access Token endpoint.
  • Add the following parameters in the request body:
    • grant_type: client_credentials
    • client_id: Your application’s identifier.
    • client_secret: Your application’s secret.
    • scope: (Specify the permissions needed by your application)
{
  "grant_type": "client_credentials",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "scope": "read"
}

Step 2: Execute the Request

  • Send the request: The authorization server will respond with the access token.

Step 3: Store and Utilize

  • Store the access token for subsequent API calls.
  • Use the access token in subsequent requests by adding it as an Authorization header with the Bearer schema.

3. Obtaining Access Tokens via the Password Credentials Flow

The password credentials flow allows users to directly provide their credentials (username and password) to obtain an access token.

Step 1: Configure the Request

  • Create a new POST request in Postman targeting the authorization server’s Access Token endpoint.
  • Add the following parameters in the request body:
    • grant_type: password
    • username: The user’s username.
    • password: The user’s password.
    • client_id: Your application’s identifier.
    • client_secret: Your application’s secret.
    • scope: (Specify the permissions required)
{
  "grant_type": "password",
  "username": "YOUR_USERNAME",
  "password": "YOUR_PASSWORD",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET",
  "scope": "read write"
}

Step 2: Execute the Request

  • Send the request: The authorization server will respond with the access token.

Step 3: Store and Utilize

  • Store the access token for subsequent API calls.
  • Use the access token in subsequent requests by adding it as an Authorization header with the Bearer schema.

4. Using Postman’s Built-in OAuth 2.0 Support

Postman simplifies the OAuth 2.0 flow with its built-in support:

  • Go to the Authorization tab in Postman.
  • Choose “OAuth 2.0” from the dropdown.
  • Click “Get New Access Token”.
  • Configure the details similar to the Authorization code flow instructions (Auth URL, Access Token URL, Client ID, etc.).
  • Select the “Obtain token using authorization code flow” option if needed.
  • Click “Request Token” and follow the prompts.

Postman will handle the authorization code exchange for you and store the access token, making it available for use in your API calls directly.

5. Refreshing Access Tokens

Access tokens have limited lifespans. Refresh tokens are used to extend the validity of existing access tokens.

Step 1: Configure the Request

  • Create a new POST request in Postman targeting the refresh token endpoint.
  • Add the following parameters in the request body:
    • grant_type: refresh_token
    • refresh_token: Your refresh token.
    • client_id: Your application’s identifier.
    • client_secret: Your application’s secret.
    • scope: (Optional, can be included but not required)
{
  "grant_type": "refresh_token",
  "refresh_token": "YOUR_REFRESH_TOKEN",
  "client_id": "YOUR_CLIENT_ID",
  "client_secret": "YOUR_CLIENT_SECRET"
}

Step 2: Execute the Request

  • Send the request: The authorization server will respond with a new access token.

Step 3: Store and Utilize

  • Store the new access token for use in future requests.
  • Update the Authorization header in your requests with the new access token.

Conclusion

Postman provides powerful features for obtaining and managing access tokens effectively for API testing. By using these methods, you can efficiently authenticate your API calls, streamlining your testing workflow. Make sure to familiarize yourself with different OAuth 2.0 grant types and appropriate security measures to protect your sensitive data during access token management.

API Testing Blog