Skip to content
Postman API Testing Tips

How To Use Auth Token In Postman

API Testing Blog

Understanding Auth Tokens

Authentication tokens are essential for securing your APIs, ensuring that only authorized users can access sensitive data and perform actions. Postman provides several ways to manage and use auth tokens for API testing, making it a powerful tool for developers and testers.

Method 1: Using Authorization Tab

1. Navigate to the Authorization Tab

Open your Postman request and click on the “Authorization” tab in the right-hand pane.

2. Select “Bearer Token”

From the “Type” dropdown, choose “Bearer Token.”

3. Enter Your Token

Paste your auth token into the “Token” field.

4. Send Your Request

Click “Send” to execute your API request with the provided auth token.

Example:

Let’s say you’re working with a weather API that requires an auth token for accessing data. Your token is your_weather_api_token.

  1. In Postman, navigate to your request for the weather API.
  2. Go to the “Authorization” tab.
  3. Select “Bearer Token” from the “Type” dropdown.
  4. Paste your_weather_api_token into the “Token” field.
  5. Click “Send.”

Method 2: Using Environment Variables

Environment variables are a more organized and flexible way to manage auth tokens, especially when testing against multiple environments or sharing your requests.

1. Create an Environment

Click on the “Environments” icon in the left-hand pane and create a new environment. For example, you can name it “Production” or “Development.”

2. Add an Environment Variable

In your new environment, click “Add” and create a variable named AUTH_TOKEN. Set the value to your auth token.

3. Use the Environment Variable in Your Request

In your Postman request, replace the auth token with {{AUTH_TOKEN}}. Postman will automatically substitute the variable value before sending the request.

Example:

Suppose you have three environments: Development, Staging, and Production, each with a different auth token. You can manage these tokens using environment variables.

  1. Create three environments in Postman: “Development,” “Staging,” and “Production.”
  2. In each environment, add an AUTH_TOKEN variable with the corresponding token value.
  3. In your weather API request, replace the auth token with {{AUTH_TOKEN}}.
  4. Now, you can easily switch between environments and test against different auth tokens.

Method 3: Using Pre-request Scripts

Pre-request scripts allow you to dynamically generate auth tokens or perform various tasks before sending your request.

1. Access the Pre-request Script Tab

In your Postman request, go to the “Pre-request Script” tab.

2. Write JavaScript Code

Use JavaScript code to generate or fetch your auth token. For example:

pm.environment.set("AUTH_TOKEN", "your_generated_token");

This code will set the AUTH_TOKEN environment variable with the generated token.

3. Use the Generated Token

In your request’s headers or body, use {{AUTH_TOKEN}} to access the generated token.

Example:

Imagine you need to fetch a new auth token from a separate API endpoint before accessing the weather API. You can use a pre-request script for this task.

  1. In the “Pre-request Script” tab, add the following code:
const tokenResponse = pm.sendRequest({
  url: "https://your-token-api.com/token",
  method: "GET"
});
pm.environment.set("AUTH_TOKEN", tokenResponse.json().access_token);

This script fetches a new token from https://your-token-api.com/token and sets it as the AUTH_TOKEN environment variable.

  1. In your weather API request, use {{AUTH_TOKEN}} for authentication.

Method 4: Using Authorization Interceptor

Authorization Interceptors allow you to automatically add auth tokens to multiple requests, making your testing process even more streamlined.

1. Create an Interceptor

In Postman, navigate to the “Interceptors” tab and create a new interceptor.

2. Add Interceptor Logic

Write JavaScript code that adds the auth token to the request headers.

function addAuthorization(request) {
  request.headers.Authorization = "Bearer {{AUTH_TOKEN}}";
  return request;
}


pm.intercept.onRequest(addAuthorization);

This interceptor adds the “Authorization” header with the AUTH_TOKEN value to every outgoing request.

3. Activate the Interceptor

Ensure the interceptor is activated.

Now, all your requests will automatically include the correct auth token without needing to add it manually to each request.

Best Practices for Using Auth Tokens

  • Store tokens securely: Never hardcode your auth tokens directly in your API calls or requests. Use secure storage methods like environment variables or pre-request scripts.
  • Use a consistent approach: Choose one method for managing auth tokens (e.g., environment variables) and stick to it for all your requests.
  • Regularly refresh tokens: If your auth tokens have expiration times, ensure you refresh them automatically using pre-request scripts or other mechanisms.
  • Consider security best practices: Implement appropriate security measures to protect your auth tokens and prevent unauthorized access to your APIs.

By following these steps and best practices, you can effectively manage and use auth tokens in Postman for seamless and secure API testing.

API Testing Blog