How to securely handle sensitive data like passwords or tokens in Postman?

When dealing with sensitive data like passwords or tokens, it’s crucial to follow best practices to ensure the security of your applications. In this guide, we will walk you through the step-by-step process of securely handling sensitive data in Postman.

We will be receiving JSON data when sending GET request using an API which wil be stored in a variable. JSON stands for JavaScript Object Notation. It is a format for structuring data. This format is used by different web applications to communicate with each other.

Prerequisites:

• Able to use Postman
• Basic understanding of terms like APIs
• JSON

Steps to Securely handle sensitive data like passwords or tokens in Postman:

In the below steps, we will take an free api endpoints for example.

`https://jsonplaceholder.typicode.com/posts`

Step 1: Use Environment Variables

One of the key features of Postman is its support for environment variables. Instead of hardcoding sensitive information directly into your requests, use environment variables to store and manage this data centrally.

• Open Postman and create a new environment by clicking on the gear icon in the top right corner.
• Name your environment and add key-value pairs for each sensitive piece of data (e.g., password, API token or base url).

Since our endpoint do not require any API KEY so we make a varible named “base_url” and its value will be “https://jsonplaceholder.typicode.com”.

When your endpoint require for API KEY then you can create in similar way.

• Environment Name: New Enviroment1
• Variable: base_url : https://jsonplaceholder.typicode.com

Case when your endpoint require API KEY :

Environment Name: MyAPIEnvironment2

Variables:

• API_KEY: your_api_key
• PASSWORD: your_password

Setting the variable

Step 2: Reference Environment Variables in Requests

Now that you have set up your environment variables, it’s time to reference them in your requests.

• In your request, use double curly braces to enclose the variable name, like `{{base_url}}` ( when request needs API KEY `{{API_KEY}}` or `{{PASSWORD}}` )
• Postman will automatically replace these placeholders with the values from your environment.
• Request URL : `{{base_url}}/posts`
• Request URL : `{{base_url}}/comments`

Example:(When your endpoint needs API KEY)

Request URL: `https://api.example.com/data?api_key={{API_KEY}}`

Hoe to use variable in request

Step 3: Use Secure Variables for Sensitive Data

Note: the endpoint which we have taken in our example do not require any API KEY. so ther is also an another for example which takes a API KEY. it is just for illustrating you how you will work will others endpoints too.

To add an extra layer of security, consider using Postman’s secure variables for highly sensitive information. Secure variables are encrypted and provide an additional level of protection against unauthorized access.

• Open your environment where you have defined your variable.
• Click on the “Click on type” button.
• Select the option i.e. `secret`.

Example:

Environment Name: MyAPIEnvironment2

Variables:

• API_KEY: your_api_key
• PASSWORD: your_password (Secure)

In the below picture showed how you can do it.

Making the value secret

GIF to show all the steps at once.

Output