Use cases
Every time a team member does one of the following activities, a scan begins:
-
The workspace's visibility should be set to Public.
-
Give public workspace access to a collection or setting.
- Make alterations to an environment or collection that is present in a public workplace.
-
Make public new documentation for a Postman Collection.
- Edit any documentation for Postman that is accessible to the general public.
The Security audit reports section of the Reports dashboard is where Postman displays the scan results.
Supported tokens
By default, the Token Scanner will scan a range of tokens. Using custom alerts, you can even include your team's exclusive third-party app tokens that aren't yet supported.
Default alerts
These service providers' tokens are automatically scanned by the token scanner:
- Airtable API Key
- Amazon MWS Token
- Basic Auth
- Bearer Token
- Clojars Deploy Token
- Databricks Authentication Token
- DSA Private Key
- EC2 SSH Private Key
- Firebase Cloud Messaging API Key
- GitHub Personal Access Token
- Google API Key
- Google OAuth Token
- Microsoft Outlook Team Webhook URL
- OpenSSH Private Key
- PGP Private Key
- Postman API Key
- RSA Private Key
- SendGrid API Key
- Sendinblue Key
- Shopify Key
- Slack Webhook URL
- Square Access Key
- Square Access Token
- Square OAuth Secret
- Stripe Restricted Key
- Stripe Secret Key
- Telegram Bot Access Token
- Twilio API Key
Custom Alert
Your team's proprietary tokens and any third-party app tokens that aren't automatically scanned can be scanned using custom alerts.
Note: Only Postman Enterprise plans offer custom alerts.
Five notifications can be added by your team in total. To add custom alerts, you must be a Community Manager or a member of the Developer and Admin roles.
To include unique alerts:
- Go to Team> Team Settings > Scanner for tokens.
- Select Add Alert under the "Custom alerts" heading.
- Set the custom token on the Add Alert page.
Token scanner dashboard
In your data security dashboard, you can see the predefined default and custom alarms for your team. In the top right corner, click Team > Team Settings. Select Token scanner after choosing Data security from the list on the left.
Protecting Postman API keys in GitHub
Additionally, Postman collaborates with GitHub to guarantee the security of your Postman API keys. Postman notifies you through email and in-app notice if you commit a legitimate Postman API key to a visible GitHub repository. Additionally, you may configure Postman's Slack interface to notify you in Slack if this happens.
You should remove the exposed API key from your API keys dashboard, as advised. To continue using the Postman API, you can create a new API key.
Onboarding checklist
The following preparation activities can be carried out before you begin utilizing Postman in your company to help your team succeed.
Setting up Postman
The Postman Desktop Agent enables web access to Postman. For Windows, Mac, and Linux, Postman is a standalone app. Download the most recent version of Postman from the Postman website and make sure that everyone who wants to use it has it.
You can manually choose the Cloud Agent, Desktop Agent, or Browser Agent for your requests while using the Postman online version. Select the agent picker from the Postman footer to see more information about the agent that handled your request. The auto-select agent can be activated or deactivated using Auto-select. Postman will choose the ideal agent for your requests automatically after you use the Auto-select option.
You can choose the agent (Cloud, Desktop, or Browser) you want to use for your requests explicitly or by using the auto-select option.
In order to find out the steps involved in introducing a new piece of software, you might want to get in touch with your IT department. While this differs from organization to organization, the following ideas are shared:
-
The device policy may need to be amended by your IT department to include an exception permitting Postman to be installed on employee workstations. To assist in creating this exception, send the IT team a link to download Postman.
-
Your IT team may decide to roll out the Postman Enterprise app throughout your company if you have a Postman Enterprise plan. See Managing Enterprise deployment for additional details.
-
You might need to properly configure Postman if the network connection for your company is supported by a proxy. Obtain proxy connection information from your IT department and configure it in Postman.
- To guarantee that Postman data is synced with the cloud and that all functionality operates as intended, it is advised that your IT personnel allowlists Postman's domains.
- You might be able to get static IP addresses for Postman Monitors depending on your plan. To monitor these static IPs, your IT staff must add them to an allowlist. For information on how to get and set up static IP addresses for monitoring, see Running Postman monitors with static IPs.
-
Refresh the team settings. For more details, see Team Settings.
- You might require assistance from your IT team to configure single-sign-on (SSO) if it is a feature of your Postman plan. For information on integrating with specific identity providers, see Configuring SSO for a team.
Invite team members
Depending on the size of your team, you can either send invites right away or wait to roll out Postman to the full company before testing your setup with a small group of volunteers.
You can generate a shareable link or send a direct email invitation to your teammates to add them from your team dashboard. For further information, see Managing Your Team.
Check your setup
It's advisable to evaluate Postman's functionality within your company to make sure everything works as it should before you begin working fully. Find a teammate who does to assist you in testing the configuration if you do not have access to Postman or a Postman account. In order to get set up and going, you might also need to ask your IT team for things, depending on the IT policies in place at your company.
Make sure you are connected to the network of your company and perform the following tests:
-
Can you use Postman to send a request to example.com?
-
Can you carry out a request to one of your secret or internal APIs?
- Delete a request from a Collection. Check out go.postman.co to see if your requests and collections are synced with Postman's cloud.
Perform these checks once again on a coworker's workstation. Your workstations and network are prepared to support Postman if everything goes according to plan. If you run into a problem, get in touch with Postman support.
Enable team discovery
Team discovery helps users find Postman's collaboration tools more easily, and it enables team engagement to grow along with your profitable API projects. When team discovery is enabled, Postman shows users in your company a list of teams they can join when they log in to their Postman accounts. Anyone logging in using a work email address is shown the list of available teams and given the option to apply to join any of them. An alert will be sent to administrators, who can then either approve or prohibit access.
Frequently Asked Questions
What kinds of requests can you make with Postman?
Request Method, Request URL, Request Headers, Request Body, Pre-request Script, and Tests are all included in an HTTP request method.
What does Postman's endpoint mean?
You may include Postman in your development toolchain by integrating it with the Postman API endpoints. Through the API, you can add and run monitors, update environments, add and run new collections, and update existing collections. You can now access data kept in your Postman account programmatically.
What is Postman ID?
Using their distinct id, individual resources in your Postman Account can be accessed ( uid ). The user-id and resource-id of the resource owner are simply concatenated to form the uid.
What does Postman's collection mean?
A collection of saved requests is called a Postman Collection. Every request you make in Postman is recorded in the sidebar's History tab.
Conclusion
We hope this article helps you to learn something new. And if you're interested in learning more, see our posts on Introduction to Postman, Learn APIs (making APIs and JWT authentication), and Postman for API testing.
Visit our practice platform. Coding Ninjas Studio to practice top problems. Attempt mock tests, read interview experiences, and much more.! Feel free to upvote and share this article if it has been helpful for you.
85+ registered