3 minute read
Getting started with authorization in Postman
from POSTMAN API
by danzzersdev
Both of these pieces are crucial to a properly working security system. The two concepts often get conflated and you will hear one term or the other used to describe them both. This is fine as long as you are aware that there are these two different aspects at play. We need to have some way to verify that someone is who they say that are (a password, for example), but then we also need a set of rules or permissions that allow that authenticated user access to the correct set of resources.
Now that you have the big picture view of security, let's take a look at how to deal with security in Postman.
Advertisement
API security in Postman
Now that you understand what authorization and authentication are, it's time to look at how to use this knowledge in Postman. Postman has a lot of built-in options for dealing with API security, and in this section, I will show you how to use each of them. When I was getting started with API testing, I found that figuring out how to authorize and authenticate myself was one of the hardest parts of API testing. I hope that this section will help you figure out how to handle API security on any APIs you are testing. In the previous section, I talked about the distinction between authorization and authentication. However, as I mentioned, sometimes those two terms are conflated. Postman uses the terminology of "authorization" to combine both of these concepts, so as I show you how to do this, I will generally stick to using that term as an umbrella term for both authentication and authorization.
In this section, you will learn how to use the various authorization options in Postman. I will go over some common ones such as bearer tokens, and also walk you through the details of how to use OAuth 2.0. In addition, you will learn how to use many of the less common authorization options as well so that you will be ready to test regardless of the type of authorization your API uses.
Getting started with authorization in Postman
Authorization details can be set directly on the Authorization tab of a request. In order to do that, do the following:
1. Navigate to a request through the Collections tab in the navigation panel. 2. Open the request by clicking on it and you will see an Authorization tab. 3. Click on that and you will see a dropdown where you can specify the type of authorization that your API uses.
If you click on that dropdown, you will see that there are a number of options available.
In this section, I will show you how to set up some of the more common ones from this list. If you need more details on some of the other authorization options, you can find more information in the Postman documentation (https://learning.postman.
com/docs/sending-requests/authorization/). As you can see in the following screenshot, Postman has many authorization options:
Figure 5.1 – Authorization options in Postman The first option on this list is the Inherit auth from parent option. This is a powerful option that makes it much easier to manage an API. Usually when an API has authorization enabled, it will be required for every endpoint in the API. This means that any time you want to access a request in the API you will need to specify auth options. However, you aren't trying to test the authorization itself; you merely need to enter it so that you can do some other testing. In this case, it makes a lot of sense to only specify the login information in one place rather than repeating it for each request. Postman enables this by allowing you to specify authorization at the folder or collection level. If you click on the View more actions menu beside the collection in which your request is located and choose the Edit option, you will see that there is an Authorization tab. You can set up authorization options here, and then for any request in that collection, you can choose the Inherit auth from parent option to use the values you entered in the collection.
