Skip to content
Postman API Testing Tips

How To Use Authorization Header In Postman

API Testing Blog

How to Use Authorization Header in Postman: A Comprehensive Guide

Postman is a powerful tool for testing APIs, and it offers flexible ways to handle authentication. One common method is using the Authorization header. This guide will take you step by step through the process of configuring and using Authorization headers in Postman for various scenarios.

Understanding Authorization Headers

The Authorization header is used to transmit authentication credentials with each request. It provides a way for clients (like Postman) to identify themselves to the server and gain access to protected resources. Typically, the header contains a specific scheme (e.g., “Basic”, “Bearer”) followed by the encoded credentials.

Setting Up Authorization Header in Postman

  1. Open Postman and create a new request.
  2. Select the “Authorization” tab in the request window.
  3. Choose the appropriate authentication type:
    • Basic Auth: This method requires a username and password. Enter the credentials in the respective fields.
    • Bearer Token: This method uses a token (often obtained through a separate authentication process) to grant access. Paste the token in the “Token” field.
    • OAuth 2.0: This advanced method involves authorization workflows with more complex configurations.
  4. Click “Send” to execute your request.

Practical Example: Basic Authentication

Let’s assume you want to access a protected API endpoint that requires basic authentication.

1. Gather Credentials: Get the username and password required for the API.

2. Create a Postman request:

  • Choose the appropriate HTTP method (GET, POST, etc.) and enter the API endpoint URL.

3. Set up Basic Auth:

  • Go to the “Authorization” tab.
  • Select “Basic Auth” from the drop-down menu.
  • Enter the username and password in the respective fields.

4. Send the request:

  • Click “Send” and observe the response.

Sample Code:

// Example request with Basic Authentication
POST https://api.example.com/protected-resource
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ= // encoded username:password

Using Bearer Token Authentication

For APIs that employ Bearer token authentication, the process is similar.

1. Obtain the Bearer Token: Obtain the token typically through a separate authentication process (e.g., user login, API call to obtain a token endpoint).

2. Create a Postman request:

  • Choose the HTTP method and enter the API endpoint URL.

3. Set up Bearer Token Authentication:

  • Go to the “Authorization” tab.
  • Select “Bearer Token” from the drop-down menu.
  • Paste the obtained Bearer token into the “Token” field.

4. Send the request:

  • Click “Send” and analyze the response.

Sample Code:

// Example request with Bearer Token Authentication
GET https://api.example.com/protected-resource
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw0

Persisting Authorization Settings

You can save your Authorization configuration for future use.

  1. Go to the “Authorization” tab.
  2. Click on the “Save to Environment” icon.
  3. Select the environment where you want to save the configuration.

This helps avoid re-entering credentials for each request.

Dynamic Authorization with Environment Variables

Postman enables using environment variables for dynamic authorization. This is useful for situations where credentials or tokens change frequently.

1. Create Environment Variables:

  • Go to the “Environments” tab.
  • Click “Add” to create a new environment.
  • Define variables with names like username, password, or token.

2. Use Variables in Requests:

  • In the request URL, headers, or body, use the syntax ${{your_variable_name}} to reference environment variables.
  • For example, if you have an environment variable named token, you can use it in the Authorization header as: Authorization: Bearer ${{token}}.

Working with OAuth 2.0

Postman provides robust support for OAuth 2.0. Here’s a basic overview:

  1. Define OAuth 2.0 Credentials:

    • Go to the “Authorization” tab.
    • Select “OAuth 2.0”.
    • Enter the required OAuth 2.0 details:
      • Grant type (e.g., password, client_credentials)
      • Client ID and other necessary values.

  2. Configure the Workflow:

    • Specify the token acquisition and refresh token URLs.

  3. Save to Environment:

    • Click “Get New Access Token” to obtain the OAuth 2.0 token and save it to your environment.

Key Points:

  • Always follow API documentation for specific authentication instructions.
  • Prioritize using environment variables for secure and dynamic authorization.
  • For complex OAuth 2.0 scenarios, consult detailed Postman documentation.

Conclusion

Mastering the art of using Authorization headers in Postman empowers you to confidently test any API that requires authentication. By understanding the different authentication methods and leveraging Postman’s features, you can streamline your API testing workflow and achieve accurate results. Remember, security is paramount, so always handle sensitive credentials with care and leverage Postman’s environment variables for secure and efficient authorization.

API Testing Blog