Skip to content
Postman API Testing Tips

How To Use Variable In Postman For Password

API Testing Blog

Using Variables for Passwords in Postman: A Guide for Secure API Testing

Keeping sensitive information like passwords out of your Postman requests is essential for secure API testing. Variables offer a secure and efficient way to manage passwords within your workflow. Let’s explore different methods of using variables for passwords in Postman.

1. Using Environment Variables

Environment variables provide a centralized location to store sensitive information like passwords. This is ideal for sharing passwords across multiple tests and team members while maintaining security.

Step 1: Define the Environment Variable

Go to the Environments tab in Postman. Click Add to create a new environment or select an existing one.

Step 2: Set the Password Variable

In the environment editor, click Add to add a new variable.

  • Key: Enter a descriptive name for your password variable, like API_PASSWORD.
  • Value: Enter your password. For enhanced security, consider using a secret manager like AWS Secrets Manager, HashiCorp Vault, or Azure Key Vault to access the password value.

Step 3: Using the Environment Variable in Your Request

In your request body, use the following syntax to reference the environment variable:

{
  "username": "testuser",
  "password": "{{API_PASSWORD}}"
}

Example:

Imagine you have an API endpoint that requires a login. In Postman, you can create an environment variable called API_PASSWORD and set its value to supersecret. Then, in your request body, you can use {{API_PASSWORD}} to dynamically fill in the password field:

{
  "username": "testuser",
  "password": "{{API_PASSWORD}}"
}

2. Using Collection Variables

Collection variables are useful for storing data specific to a particular collection. If you need a password for a specific collection of tests, using collection variables can help you organize your tests better.

Step 1: Create a New Collection Variable

Go to your desired collection and navigate to the Variables tab. Click Add to create a new variable.

Step 2: Set the Password Variable

  • Key: Give your variable a name like COLLECTION_PASSWORD.
  • Value: Enter your password.

Step 3: Using the Collection Variable in Your Request

Use the following syntax to reference the collection variable in the request body:

{
  "username": "testuser",
  "password": "{{COLLECTION_PASSWORD}}"
}

Example:

You could create a collection named Authentication Tests and add a collection variable called COLLECTION_PASSWORD with the value secretkey. Then, in any request within this collection, you’d use {{COLLECTION_PASSWORD}} to pass the password.

3. Using Data Files

Data files provide a structured way to manage large amounts of test data, including passwords. This approach is particularly useful when dealing with multiple users or scenarios with varying password requirements.

Step 1: Create a Data File

Create a .json or .csv file to store your passwords. For example, you could have a file named credentials.json with the following contents:

[
  {
     "username": "user1",
     "password": "password1"
  },
  {
     "username": "user2",
     "password": "password2"
  }
]

Step 2: Setting up the Data Source in Postman

In your request, go to the Authorization tab and select Basic Auth.

  • Username: In the username field, use the variable from the data file, e.g., {{username}}.
  • Password: In the password field, use the variable from the data file, e.g., {{password}}.

Step 3: Using the Data File in Your Request

Under the Tests tab of your request, add the following code to dynamically iterate over the data file:

pm.test("Data File Iteration", () => {
  const data = pm.iterationData;
  console.log("Username:", data.username);
  console.log("Password:", data.password);
});

Example:

You can create a data file named users.json containing multiple user credentials. In your request, you’ll set up the data source to reference this file. Then, using the pm.iterationData object in the Tests tab, you can access each user’s credentials and dynamically set the username and password for each iteration.

4. Using Pre-Request Scripts

Pre-request scripts allow you to execute code before sending a request. This gives you the flexibility to dynamically generate or fetch passwords.

Step 1: Write a Script to Fetch the Password

In the Pre-request Script tab of your request, use JavaScript to retrieve the password from a secret manager, database, or other external source.

Example:

// Fetching password from a hypothetical secret manager (replace with actual logic)
const password = pm.environment.get("SECRET_PASSWORD");


// Setting the password as a variable for use in your request
pm.variables.set("dynamicPassword", password);

Step 2: Using the Retrieved Password in Your Request

In the request body, use {{dynamicPassword}} to access the dynamically retrieved password.

Example:

{
  "username": "testuser",
  "password": "{{dynamicPassword}}"
}

Best Practices for Secure Password Management

  • Never directly embed passwords in your Postman requests.
  • Utilize environment variables, collection variables, or data files for storing passwords.
  • Store passwords in a secure secret management system.
  • Consider using temporary, short-lived access tokens for authentication whenever possible.
  • Regularly review and rotate your passwords.
  • Avoid hardcoding passwords directly in any environment variable. Instead, reference a secret manager or another secure source.

By following these best practices, you can safeguard your passwords and ensure secure and reliable API testing.

API Testing Blog