Postman Auth Types

Most real-world APIs require you to prove who you are before they respond with data. This is called authentication. Postman has a built-in Authorization tab that supports every major auth method. This topic explains each one clearly.

The Security Guard Analogy

Imagine a secure office building. You must show ID at the front desk before entering. Different IDs work for different floors:

  • A guest badge = Basic Auth (simple but limited access)
  • A keycard = API Key (one key for one door)
  • A biometric scan = OAuth 2.0 (verifies your full identity with a time-limited pass)

APIs use similar layers of trust, and Postman handles each of them.

Where to Set Auth in Postman

Click the Authorization tab in any request. A Type dropdown lets you pick the auth method. You can also set auth at the collection level so every request inside it inherits the same credentials automatically.

No Auth

Select No Auth when the API is public and requires no credentials. The test API at jsonplaceholder.typicode.com uses no auth.

API Key

An API key is a long string of letters and numbers that identifies your app. The server checks this key before responding.

How to Set It in Postman

  1. Select API Key from the Type dropdown
  2. Enter the Key name that the API specifies (for example: x-api-key)
  3. Enter the Value (your actual API key string)
  4. Choose whether to send it in the Header or as a Query Parameter

Most APIs expect the key in a header. Some older APIs send it as a URL parameter like ?api_key=your_key_here.

Diagram

Request with API Key in header:
  GET /weather?city=London
  Headers:
    x-api-key: abc123xyz789...

Basic Auth

Basic Auth sends a username and password with every request. Postman combines them, encodes them in Base64, and places them in the Authorization header.

How to Set It in Postman

  1. Select Basic Auth from the Type dropdown
  2. Enter your Username
  3. Enter your Password

Postman sends this header automatically:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

The long string is the Base64-encoded version of username:password. Basic Auth is simple but should only be used over HTTPS, never plain HTTP.

Bearer Token

A Bearer token is a short-lived security pass. You first call a login endpoint to get the token, then include it with all subsequent requests. When the token expires, you log in again for a new one.

How to Set It in Postman

  1. Select Bearer Token from the Type dropdown
  2. Paste your token in the Token field

Postman adds this header to your request:

Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

Store the token in an environment variable called {{accessToken}} and reference it here so you never have to paste it manually again.

JWT Bearer

JSON Web Token (JWT) is the most common type of Bearer token. Postman's JWT Bearer type lets you configure the algorithm, secret, and payload directly — Postman generates the token for you. This is useful when you need to create tokens for testing without a login endpoint.

OAuth 2.0

OAuth 2.0 is the most powerful and flexible auth standard. It lets users grant your app access to their account on another service without sharing their password. For example, "Sign in with Google" uses OAuth 2.0.

OAuth 2.0 Flow Diagram

Your App          Authorization Server         Resource Server
    │                      │                        │
    │── Request access ───▶│                        │
    │                      │ (User logs in here)    │
    │◀── Auth code ────────│                        │
    │                      │                        │
    │── Exchange code ─────▶│                       │
    │◀── Access Token ──────│                       │
    │                                               │
    │── GET /data  (with access token) ────────────▶│
    │◀── Protected data ─────────────────────────── │

How to Set OAuth 2.0 in Postman

  1. Select OAuth 2.0 from the Type dropdown
  2. Click Get New Access Token
  3. Fill in the Token Name, Grant Type, Auth URL, Token URL, Client ID, and Client Secret
  4. Click Request Token
  5. A browser window opens for you to log in if needed
  6. Postman receives the token automatically and fills it in
  7. Click Use Token

Digest Auth

Digest Auth is more secure than Basic Auth. Instead of sending the password encoded in Base64, the server sends a challenge first. Your credentials are hashed with that challenge before being sent back. Postman handles the entire challenge-response process automatically when you select Digest Auth and enter your username and password.

Hawk Authentication and AWS Signature

These are specialized auth methods used by specific platforms. Hawk is used by Mozilla APIs. AWS Signature authenticates requests to Amazon Web Services. Postman supports both — just fill in the required fields in the Authorization tab.

Inherit Auth from Parent

When you set auth on a collection, all requests inside can use Inherit auth from parent in their own Authorization tab. This means you set your API key or token once at the top and every request picks it up automatically.

Collection Auth: Bearer {{accessToken}}
    └── POST Login          (No Auth — gets the token)
    └── GET User Profile    (Inherit auth → uses {{accessToken}})
    └── PUT Update Profile  (Inherit auth → uses {{accessToken}})
    └── DELETE Account      (Inherit auth → uses {{accessToken}})

Summary

Postman supports all major authentication methods through the Authorization tab. API Keys are simple and common. Basic Auth uses a username and password. Bearer Tokens are short-lived passes. OAuth 2.0 handles full delegated access flows. Setting auth at the collection level and using the Inherit option saves you from repeating yourself on every request.

Previous lessons
Back to courses
Next lessons

Leave a Comment

Your email address will not be published. Required fields are marked *