Skip to content
Postman API Testing Tips

How To Use Refresh Token In Postman

API Testing Blog

Refresh Tokens in Postman: A Comprehensive Guide

Refresh tokens are a crucial part of modern API authentication systems, allowing users to stay logged in for extended periods without needing frequent re-authentication. In this guide, we’ll explore how to effectively utilize refresh tokens within your Postman tests, enhancing your API testing workflows.

Understanding Refresh Tokens

Refresh tokens are typically used in conjunction with access tokens, which grant temporary access to API resources. When an access token expires, clients use the refresh token to obtain a new access token without requiring the user to re-authenticate. This provides a seamless user experience and improves security by minimizing the lifetime of sensitive access tokens.

Implementing Refresh Token Logic in Postman

Here’s a step-by-step guide on how to manage refresh tokens effectively in Postman:

  1. Setup Your Initial Request (Authentication)

    • Create a new request in Postman for your API’s authentication endpoint.

    • This endpoint is typically used to exchange user credentials for an access token and a refresh token.

    • For example, a simple request might look like this:

      // POST request to /auth/login
      {
        "username": "your_username",
        "password": "your_password"
      }

  2. Store Refresh Token Securely

    • After successfully authenticating, store the refresh token securely for later use. Postman offers several options:

      • Environment Variables: Maintain a global environment variable to store the token. This approach is suitable for general testing scenarios.
      • Postman Collections: Use collection variables for organization and better test flow management.

    • Example (Using environment variables):

      pm.environment.set("refreshToken", pm.response.json().refreshToken);

  3. Create a Refresh Token Request

    • Create a separate request in Postman for refreshing the access token. This request typically sends the refresh token as a parameter or in the request body.

    • Example (using a POST request with the refresh token in the body):

      // POST request to /auth/refresh
      {
        "refreshToken": "{{refreshToken}}" // Use environment variable
      }

  4. Update Access Token & Refresh Token

    • In the refresh token request’s “Tests” tab, extract the new access token and refresh token from the response.

    • Update your environment or collection variables with the new tokens.

    • Example:

      // Extract new tokens
      var newAccessToken = pm.response.json().accessToken;
      var newRefreshToken = pm.response.json().refreshToken;
      

      // Update environment variables
      pm.environment.set("accessToken", newAccessToken);
      pm.environment.set("refreshToken", newRefreshToken);

Handling Refresh Token Expiration

  • Implement a mechanism to automatically refresh your access token when it expires. Postman’s built-in pre-request scripts offer the perfect solution.

  • In your pre-request script, check the expiration time of the current access token. If it’s about to expire, trigger the refresh token request.

  • Example:

    var accessTokenExpiration = pm.environment.get("accessTokenExpiration"); // Assuming you store the expiration timestamp
    var currentTime = new Date().getTime();
    

    if (currentTime >= accessTokenExpiration) {
      // Call the refresh token request (you can reuse the request from step 3)
      pm.sendRequest({
        url: "your_refresh_token_endpoint",
        method: "POST",
        body: {
          refreshToken: pm.environment.get("refreshToken")
        }
      }, (err, response) => {
        if (err) {
          console.error("Error refreshing token:", err);
        } else {
          pm.environment.set("accessToken", response.json().accessToken);
          pm.environment.set("accessTokenExpiration", new Date(response.json().accessTokenExpirationTimestamp).getTime()); // Updated expiration time
        }
      });
    }

Example: Testing a Secure API

Let’s illustrate these concepts with a practical example. Assume you are testing an API with a /protected endpoint that requires authentication:

  1. Authentication Endpoint Request (POST /auth/login) 
    {
      "username": "your_username",
      "password": "your_password"
    }
  2. Store Refresh Token (Postman Tests Tab) 
    pm.environment.set("refreshToken", pm.response.json().refreshToken);
    pm.environment.set("accessToken", pm.response.json().accessToken);
    pm.environment.set("accessTokenExpiration", new Date(pm.response.json().accessTokenExpirationTimestamp).getTime());
  3. Refresh Token Endpoint Request (POST /auth/refresh) 
    {
      "refreshToken": "{{refreshToken}}"
    }
  4. Update Access Token (Postman Tests Tab) 
    pm.environment.set("accessToken", pm.response.json().accessToken);
    pm.environment.set("refreshToken", pm.response.json().refreshToken);
    pm.environment.set("accessTokenExpiration", new Date(pm.response.json().accessTokenExpirationTimestamp).getTime());
  5. Protected Endpoint Request (GET /protected)
    • Authorization Header: Bearer {{accessToken}}
    • Pre-request Script: 
      var accessTokenExpiration = pm.environment.get("accessTokenExpiration");
      var currentTime = new Date().getTime();
      

      if (currentTime >= accessTokenExpiration) {
        pm.sendRequest({
          url: "your_refresh_token_endpoint",
          method: "POST",
          body: {
            refreshToken: pm.environment.get("refreshToken")
          }
        }, (err, response) => {
          if (err) {
            console.error("Error refreshing token:", err);
          } else {
            pm.environment.set("accessToken", response.json().accessToken);
            pm.environment.set("accessTokenExpiration", new Date(response.json().accessTokenExpirationTimestamp).getTime());
          }
        });
      }

This example demonstrates how to integrate refresh token logic into your Postman tests, ensuring smooth and secure access to your API resources. Remember to adjust the specific endpoints, headers, and test logic based on your API’s requirements.

Tips for Using Refresh Tokens in Postman

  • Error Handling: Include robust error handling in your pre-request scripts and tests. If a refresh token request fails, provide mechanisms to handle the situation appropriately.
  • Security: Use environment variables or collection variables for storing tokens. Avoid storing refresh tokens in plain text.
  • Best Practices: Adhere to best practices regarding refresh token management. Limit the refresh token’s lifetime, use secure storage mechanisms, and implement expiration policies.

By implementing these techniques, you can elevate your Postman tests, ensuring comprehensive and realistic API testing scenarios that encompass the essential aspect of refresh token management.

API Testing Blog