Skip to main content
Postman Testing
CHAPTER 12 Beginner

Authentication in Postman

Updated: May 13, 2026
25 min read

# CHAPTER 12

Authentication in Postman

1. Introduction

Public APIs like JSONPlaceholder are great for learning, but 99% of real-world APIs are locked behind security protocols. If an API handles money, user data, or business logic, you must prove who you are before the server will answer you. In this chapter, we will learn how to use Postman's dedicated Authorization tab to seamlessly handle various authentication methods, including API Keys, Basic Auth, and standard Bearer Tokens (JWTs).

2. Learning Objectives

By the end of this chapter, you will be able to:
  • Explain why Authentication is necessary for API endpoints.
  • Locate and use the Postman Authorization tab.
  • Configure an API Key for third-party services.
  • Understand and implement Basic Auth (Username/Password).
  • Configure Bearer Tokens (JWTs) for modern REST APIs.
  • Distinguish between Authentication and Authorization.

3. Beginner-Friendly Explanation

Imagine a VIP club. If you walk up to the door and ask to come in (send a GET request), the bouncer (the Server) stops you. They return a 401 Unauthorized status code.

To get in, you need a pass.

  • API Key: A secret password the club gave you when you signed up. You whisper it to the bouncer.
  • Basic Auth: Showing your physical ID card with your Name and Password on it.
  • Bearer Token: A temporary digital wristband you received after showing your ID. The bouncer just scans the wristband and lets you in immediately.

Postman has a special tab that acts as your wallet. You put your pass in the wallet, and Postman automatically shows it to the bouncer every time you make a request.

4. Real-World Examples

  • API Key (Stripe/Twilio): To send a text message via the Twilio API, you don't "log in". You simply attach your unique TWILIO_API_KEY to the request headers.
  • Basic Auth (Legacy Systems): An old internal company API requires you to send your actual username:password string, encoded in Base64, with every single request.
  • Bearer Token (Modern Apps/JWT): You log into a web app. The server gives you a long, scrambled string of text (a JSON Web Token). For the next 24 hours, you attach this token to every request to prove you are logged in.

5. Using the Authorization Tab

Instead of manually typing complex Headers, we use Postman's Auth tab.

Step 1: Open the Auth Tab

  1. 1. Open a Request (or a Folder, to use inheritance).
  1. 2. Click the Authorization tab (located between Params and Headers).
  1. 3. Look at the Type dropdown. It defaults to "Inherit auth from parent" or "No Auth".

6. Setting Up API Keys

API Keys are usually sent in the Header or as a Query Parameter.
  1. 1. Select API Key from the Type dropdown.
  1. 2. Two fields appear: Key and Value.
  1. 3. If the documentation says "Send your key in a header named X-API-KEY", type X-API-KEY in the Key field.
  1. 4. Type your actual secret code in the Value field (e.g., {{my_secret_key}} using variables!).
  1. 5. Set the "Add to" dropdown to Header. Postman will automatically inject it when you hit Send.

7. Setting Up Basic Auth

  1. 1. Select Basic Auth from the Type dropdown.
  1. 2. Enter your Username and Password in the provided boxes.
  1. 3. *What Postman does:* When you hit Send, Postman takes username:password, converts it to Base64 encoding, and injects it into a header like: Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=. You don't have to do the math!

8. Setting Up Bearer Tokens (JWT)

This is the most common modern authentication method.
  1. 1. Select Bearer Token from the Type dropdown.
  1. 2. A single "Token" box appears.
  1. 3. Paste your token (e.g., eyJhbGciOiJIUzI1Ni...), or better yet, type {{auth_token}} to use an environment variable.
  1. 4. *What Postman does:* It automatically creates the header Authorization: Bearer <your_token>.

9. OAuth 2.0 (Advanced)

If you see "Log in with Google" or "Log in with Facebook", that is OAuth 2.0. It requires redirecting the user to a login page, getting a code, and trading it for a token. Postman has a built-in OAuth 2.0 flow. You select "OAuth 2.0", fill in the Client ID and Auth URLs provided by Google/Facebook, and click "Get New Access Token". Postman will literally pop open a browser window, let you log in, and capture the token for you!

10. Best Practices

  • Use Inheritance: As stressed in the previous chapter, almost *never* set Authorization on an individual request. Click your Collection folder, set the Auth Type there, and let all child requests inherit it.
  • NEVER HARDCODE TOKENS: Tokens expire. Passwords change. Always use an Environment Variable like {{token}} in the Auth tab. When the token expires, you only update the variable, not the 50 requests that rely on it.

11. Common Mistakes

  • Double Authorization: Setting a Bearer token in the Auth tab, AND manually typing an Authorization header in the Headers tab. The server will get confused by conflicting headers.
  • Sending API Keys in URLs (Params): Unless the documentation explicitly demands it, do not select "Add to: Query Params" for an API key. URLs are logged in plain text on servers. Always use Headers for security.

12. Mini Exercises

  1. 1. Look at the Headers tab. It tells you there are "Hidden" headers. Click the eye icon to reveal them. Do you see the Authorization header Postman generated for you?
  1. 2. What is the syntax generated by Postman for a Bearer token header? (e.g., Authorization: Bearer <token>).

13. Coding/Testing Challenges

Challenge 1: You are reading API documentation. It says: "To access user data, you must provide your token in a custom header named Client-Secret-Pass". Which Authorization Type should you select in Postman to accomplish this easily? *(Hint: Look at Section 6).*

14. MCQs with Answers

Question 1

What is the primary benefit of using Postman's Authorization tab instead of manually typing headers?

Question 2

Which authentication method uses a standard JSON Web Token (JWT) string?

Question 3

If a request returns a 401 Unauthorized status code, what is the most likely problem?

15. Interview Questions

  • Q: Explain how Basic Authentication works and how Postman formats the header for it.
  • Q: How do you efficiently manage a Bearer token that expires every 1 hour across 50 different Postman requests?
  • Q: What is the difference between an API Key and OAuth 2.0?

16. FAQs

Q: My token expired, how do I get a new one? A: Usually, you execute a POST request to a /login endpoint with your email/password. The server returns a fresh JSON response containing the new token. You copy that token and paste it into your {{token}} environment variable.

17. Summary

In this chapter, we learned how to unlock secure APIs using Postman's Authorization tab. We covered the three most common security protocols: API Keys, Basic Auth, and Bearer Tokens. We learned that Postman acts as an intelligent assistant, taking our raw passwords or tokens and automatically formatting them into the strict HTTP Headers required by the server, saving us time and preventing encoding errors.

18. Next Chapter Recommendation

Clicking "Send" and manually reading the screen to see if the status is 200 is fine for beginners, but terrible for professionals. Proceed to Chapter 13: Writing Tests in Postman to learn how to write JavaScript code that verifies the response automatically.

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter Working with Collections
Next Chapter Writing Tests in Postman

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

Related Quizzes 5