API Authentication: Bearer Tokens and API Keys in Postman
Bearer token, JWT authentication, API key authentication, Basic Auth, OAuth 2.0, Postman Authorization tab, inheriting auth, token refresh automation
API Authentication: Bearer Tokens and API Keys in Postman
Authentication is one of the most critical aspects of REST API testing. Almost every production API requires some form of authentication before it allows access to protected resources. Postman API testing covers multiple authentication strategies โ and knowing how to configure each one correctly is a skill every developer needs.
[IMAGE: API Authentication Flow]
Prompt: Minimal flat diagram showing: client sends credentials to Auth Server, receives JWT token, then sends token in Authorization header to Resource Server, receives protected data. Clean arrows, labeled boxes, white background, developer style.
The Authorization Tab
Postman's Authorization tab provides a dedicated interface for every major authentication type. When you select an auth type from the dropdown, Postman shows the required fields and automatically adds the correct header to your request โ you never need to manually format authorization headers.
Bearer Token Authentication
Bearer tokens (most commonly JWT โ JSON Web Tokens) are the standard for modern REST API authentication. After logging in, the server returns a token. You include this token in every subsequent request header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...In Postman:
- Open the Authorization tab.
- Select Bearer Token from the Type dropdown.
- Paste your token or use a variable: {{auth_token}}
- Postman adds the Authorization header automatically.
API Key Authentication
Some APIs use an API key โ a static string that identifies and authenticates the client. It can be sent as a header or query parameter.
// As a header:
X-API-Key: your-api-key-here
// As a query parameter:
GET https://api.example.com/data?api_key=your-api-key-hereIn Postman, select API Key from the Authorization dropdown, enter the key name and value, and choose whether to send it as a Header or Query Param.
Basic Authentication
Basic Auth encodes the username and password as Base64 and sends it in the Authorization header. It is the simplest form but should only be used over HTTPS since the credentials are easily decoded.
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=In Postman, select Basic Auth, enter the Username and Password, and Postman handles the Base64 encoding automatically.
OAuth 2.0
OAuth 2.0 is the most secure and complex authentication flow, used by Google, GitHub, and most major platforms. Postman has a built-in OAuth 2.0 flow:
- Select OAuth 2.0 from the Authorization dropdown.
- Fill in the Token URL, Client ID, Client Secret, and Scope.
- Click Get New Access Token โ Postman handles the full OAuth flow and stores the token.
Inheriting Auth from Collection
Instead of configuring authorization on every request individually, set it once at the collection or folder level:
- Open the collection or folder settings.
- Go to the Authorization tab.
- Configure the auth type.
- On each request, select Inherit auth from parent in the Authorization tab.
This is the recommended approach โ one configuration update propagates to all requests instantly.
Automating Token Refresh
For APIs with short-lived tokens, automate the refresh in a collection-level Pre-request Script:
const tokenExpiry = pm.environment.get("token_expiry");
const now = Date.now();
if (!tokenExpiry || now > tokenExpiry) {
pm.sendRequest({
url: pm.environment.get("base_url") + "/auth/refresh",
method: "POST",
header: { "Content-Type": "application/json" },
body: {
mode: "raw",
raw: JSON.stringify({
refreshToken: pm.environment.get("refresh_token")
})
}
}, (err, res) => {
const data = res.json();
pm.environment.set("auth_token", data.accessToken);
pm.environment.set("token_expiry", now + (data.expiresIn * 1000));
});
}Key Takeaways
- Use Postman's Authorization tab โ never manually format auth headers.
- Bearer Token: set {{auth_token}} variable, auto-populated from the login response.
- Inherit auth from collection/folder to avoid repeating configuration on every request.
- Store tokens in Current Value only โ never expose secrets in Initial Value or collection exports.