Skip to content
Postman API Testing Tips

How To Test Token Based Authentication Using Postman

API Testing Blog

Understanding Token-Based Authentication

Token-based authentication is a widely used method for securing APIs, providing a secure and efficient way to verify user identity without relying on traditional session-based cookies. In this authentication scheme, a server issues a unique access token to a client after successful login. This token is then used by the client to authorize subsequent requests to the protected API resources.

How to Test Token-Based Authentication using Postman: A Step-by-Step Guide

Step 1: Obtain a Valid Access Token

Before you can start testing your API with token-based authentication, you need to obtain a valid access token. This typically involves making a request to a dedicated endpoint for authentication.

Example:

  • Endpoint: /auth/login
  • Method: POST
  • Body: 
    {
      "username": "your_username",
      "password": "your_password"
    }

Postman:

  1. Open a new request in Postman and set the Method to POST.
  2. Enter the authentication endpoint URL in the Request URL.
  3. In the Body tab, choose raw and select JSON as the format.
  4. Paste the JSON body containing your credentials.
  5. Send the request.

Response:

Upon successful authentication, the server will typically respond with a JSON object containing the access token:

{
  "access_token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Step 2: Store the Access Token

To use this token for subsequent requests, you need to store it in a safe place. Postman offers several ways to do this:

1. Environment Variables:

  • Create a new environment in Postman (e.g., “My API Environment”).
  • Add a new variable called access_token and set its value to the token extracted from the previous response.

2. Global Variables:

  • Navigate to Postman settings and go to the Globals section.
  • Add a new Global variable named access_token and set its value.

3. Collection Variables:

  • Create a new Postman collection to group your API requests.
  • In the collection settings, add a new variable named access_token.

Example in environment variable (Postman interface):

  1. Go to “Manage Environments” by clicking on the gear icon next to your environment name.
  2. Click on “Add” to add a new environment variable, select “My API Environment” from the dropdown menu, and type the name “access_token” for the variable name.
  3. Finally, paste the access token value from the previous response in the “Initial value” field.

Step 3: Use the Access Token in Subsequent Requests

Now that you have stored the access token, you can use it for authenticating requests to protected API endpoints.

Method 1: Authentication Header:

  • Type: Authorization
  • Value: Bearer <access_token> (replace with your actual access token)

Example:

Postman:

  1. Open a new request for a protected API endpoint (e.g., /users).
  2. In the Authorization tab, select “Type” as “Bearer Token”.
  3. In the “Token” field, enter the variable name: {{access_token}}.
  4. Send the request.

Method 2: Using the Authorization Tab:

  • Method: Authorization tab
  • Select: Bearer Token
  • Enter: {{access_token}} in the “Token” field.

Example:

Postman:

  1. Open a new request for a protected API endpoint (e.g., /users).
  2. Navigate to the “Authorization” tab.
  3. Select the “Type” as Bearer Token and paste {{access_token}} into the “Token” field.
  4. Send the request.

Note: Replace {{access_token}} with the appropriate variable name (environment, global, or collection variable) for your setup.

How to Test Token-Based Authentication in Postman: Different Scenarios

1. Testing Valid Access Tokens:

  • Make a request to a protected endpoint using a valid access token.
  • Expect a successful response (200 OK) with the requested resource data.

2. Testing Invalid Access Tokens:

  • Make a request to a protected endpoint using an invalid or expired access token.
  • Expect an authentication error response (e.g., 401 Unauthorized)

Example:

  • Endpoint: /users
  • Method: GET
  • Authorization: Bearer <invalid_or_expired_token>

3. Testing Different Access Token Scopes:

  • Many token-based authentication systems allow defining scopes for access tokens, granting different permissions to resources.
  • Test requests to protected endpoints using tokens with different scopes.
  • Expect successful responses for authorized requests and authentication errors (403 Forbidden) for unauthorized requests.

4. Testing Token Refresh:

  • If your API implements token refresh functionality, test this feature.
  • Make a request to the refresh token endpoint with an expiring access token.
  • Expect a response containing a fresh access token.

Conclusion

Testing token-based authentication in Postman is an essential part of API testing. By following the steps outlined in this guide, you can ensure the security and reliability of your API while identifying potential vulnerabilities. Remember to explore different test scenarios to build confidence in your API’s authentication mechanisms.

API Testing Blog