Skip to content
Postman API Testing Tips

How To Use Authorization Token In Postman

API Testing Blog

Sending Authorization Tokens with Postman

Postman is a powerful tool for testing APIs, and often your API requires authentication. Authorization tokens are one common way to authenticate API requests. This guide will walk you through how to use authorization tokens with Postman.

Understanding Authorization Tokens

Authorization tokens are strings that represent a user’s identity and permissions. These tokens are usually generated by an authentication service, like OAuth or API key providers, and are then sent with each subsequent API request. This ensures that only authorized users can access the API.

How to Use Authorization Tokens in Postman

Here’s how you can integrate authorization tokens in your Postman requests:

  1. Obtain the Token:

    • If you haven’t already, get the authorization token. This might involve logging in to your API’s authentication service or using a separate API call.

    Example: Let’s say you have an API that requires an API key. You could fetch the key using a GET request to the https://api.example.com/api-keys endpoint, then store it in a variable for future use.

    pm.test("Retrieve API key", () => {
        const response = pm.response.json();
        pm.environment.set("apiKey", response.api_key);
    });

  2. Add the Token to the Request:

    • In Postman, go to the Authorization tab of your request.
    • Select the authorization type:
      • Bearer Token: The token is prefixed with “Bearer” (common for OAuth2).
      • API Key: The token is simply passed as a header value.
      • Basic Auth: The token is generated from your credentials (username and password) and encoded as a Base64 string (more details below).
    • Enter your Authorization Token:
      • Bearer Token: Paste your token in the “Token” field.
      • API Key: Paste your key in the “Key” field.
      • Basic Auth: Enter your username and password in the respective fields.

  3. Send the Request: Now you can send your request. Postman will automatically attach the authorization token to the request header.

Using Different Authentication Types

1. Bearer Token Integration

  • Go to the Authorization tab of your Postman request.
  • Select “Bearer Token” from the type dropdown.
  • Paste your token in the “Token” field.

2. API Key Integration

  • Go to the Authorization tab.
  • Select “API Key” from the type dropdown.
  • Enter your key in the “Key” field.
  • Choose the “key” you want to use for sending the API key. You can select Authorization from the dropdown or specify the name of your custom header.
  • Optionally, define the key prefix (e.g., “api-key”).

3. Basic Auth Integration

  • Go to the Authorization tab.
  • Select “Basic Auth” from the type dropdown.
  • Enter your username and password in the respective fields.
  • Postman will automatically encode your username and password into a Base64-encoded string and send it in the Authorization header.

Example - Sending a Request with a Bearer Token:

{
    "url": "https://api.example.com/users",
    "method": "GET",
    "header": {
        "Authorization": "Bearer your_bearer_token"
    }
}

Using Environment Variables for Token Management

  • Create a new environment variable in Postman’s “Environments” section (click the eye icon).
  • Name the variable (e.g., auth_token) and set its value to your token.
  • In the Authorization tab of your request, use the environment variable syntax ({{auth_token}}) for the token value.

Best Practices for Authorization Tokens

  • Keep Tokens Secret: Avoid sharing your tokens publicly. Use secure storage methods.
  • Use Short-Lived Tokens: Implement a token expiration mechanism.
  • Validate Token Usage: Regularly verify the validity and permissions of tokens.
  • Scoped Authorizations: Use granular scopes to control user access to specific API resources.

Troubleshooting Authorization Errors

  • Check if the token is correct and valid.
  • Ensure the correct authorization type is selected in Postman.
  • Inspect the API documentation for any specific header names or formatting requirements.
  • Debug the token generation process.

By mastering the art of using authorization tokens in Postman, you can efficiently test authenticated APIs and ensure your applications are both secure and functional.

API Testing Blog