API authentication and authorization in Postman

Postman enables you to send auth details with your API requests. APIs use authentication and authorization to ensure that client requests access data securely. Authentication involves verifying the identity of the request sender, while authorization confirms that the sender has permission to carry out the endpoint's operation.

If you're building an API, you can choose from a variety of auth models. If you're integrating with a third-party API, the required authorization will be specified by the API provider.

Request authorization in Postman

You can pass auth details along with any request you send in Postman. Auth data can be included in the header, body, or as parameters of a request. If you enter your auth details in the Authorization tab of a request, Postman will automatically populate the relevant parts of the request for your chosen auth type. You can use variables and collections to store authorization details, enabling you to reuse the same information in multiple places.

Go to the following topics to learn more about request authorization in Postman:

• Use the Authorization tab of a request or collection to select an auth type and complete relevant details. To learn more, go to Add API authorization details to requests in Postman. For more details on each authorization type you can use, go to Authorization types supported by Postman.
• When you create a request to a public API with Guided Auth set up, Postman will give you the option to automatically set up authorization. To learn more, go to Set up authorization for public APIs using Guided Auth.
• Some APIs enable you to send authentication details as query parameters. Also, Postman may automatically add headers to your request based on your auth setup. To learn more, go to Send parameters and body data with API requests in Postman or Configure headers for API requests in Postman.

If you have session cookies in your browser, you can sync them to Postman using Postman Interceptor. To learn more, go to Capture traffic from a web browser using Postman Interceptor and Create and capture cookies using Postman’s cookie manager.

• If you're having issues getting a request to authenticate and run, review the tips in Debug API requests using the Postman Console. If you still have auth problems, check out the authentication tag on the Postman forum.

Add and manage CA and client certificates in Postman

You can add and manage certificates in Postman to enable authentication when sending requests.

To connect to an API that uses Mutual TLS (mTLS), you need to add a client certificate to Postman. Mutual TLS is an authentication method that requires both the client and the server to confirm their identity with a certificate. Once the identity of both parties is confirmed, an encrypted connection is established.

Managing certificates

In the Postman settings, you can view installed certificates, add a new certificate, or remove a certificate.

1. Select the settings icon in the header and select Settings.
2. Select the Certificates tab.

Adding CA certificates

To avoid "self signed certificate" errors when sending requests, add your custom CA certificate to Postman.

1. Turn on the toggle next to CA Certificates.
2. Select the PEM file for your CA certificate. (The PEM file can contain multiple CA certificates)

Adding client certificates

To send requests to an API that uses mutual TLS authentication, add your client certificate to Postman.

1. Select Add Certificate.
2. Enter the Host domain for the certificate (don't include the protocol). For example, enter postman-echo.com to send requests to the Postman Echo API. The Host field supports pattern matching. If you enter *.example.com, the same client certificate will be used for all example.com subdomains.
3. (Optional) Enter a custom port number to associate with the domain. If you don't specify a port, Postman uses the default HTTPS port (443).
4. Select the CRT file and the Key file for your certificate OR select the PFX file for your certificate.
5. If you used a Passphrase when generating the client certificate, enter it in the box. Otherwise, leave the box blank.
6. Select Add.

Each client certificate is specific to a domain. To send requests to more domains, add the appropriate certificate for each domain. Don't add more than one certificate for the same domain. If you add more than one certificate for a domain, Postman will use the last certificate added.

Removing a certificate

Remove a certificate if you no longer need it to send requests from Postman.

• To remove a CA certificate, select the remove icon next to the certificate.
• To remove a client certificate, select the delete icon next to the certificate.

Follow Guneet Singh for more QA related topics