logo logo

Understanding API Authorization Options in Postman

Understanding API Authorization Options in Postman

In the previous section of this tutorial, we saw how to get started with using Postman for API testing. We now know how to test open APIs that don’t require authorization. Most APIs, however, will require you to authorize them before you can use them.  

Let’s start by understanding the different methods of API authorization available, and then look at how those can be tested with Postman.

Postman Tutorial Chapters

  1. Overview – The Ultimate Postman Tutorial for API Testing
  2. Chapter 1Getting started with Postman for API Testing
  3. You’re here → Chapter 2 – Understanding API Authorization Options in Postman
  4. Chapter 3 – Using Postman for Automation Testing
  5. Chapter 4 – Using Test Scripts in Postman
  6. Chapter 5 – Running Postman in CI using Newman
  7. Chapter 6 – Creating Mocks with Postman

Basic Auth

We’ll start with basic auth. Conceptually basic auth is pretty easy to understand. It works in a similar way to how you log into a website. With basic auth you simply need to provide a username and password. In order to use basic auth in Postman you will of course need an API that supports this type of authentication as well as a username and password that will give you access to the API.

To set up your test, go to the request in Postman that you need to authenticate and click on the Authorization tab. On that tab there is a Type dropdown where you can select the type of authorization your API uses. Select Basic Auth from there.

Postman Tutorial Chapter 2 - Select type of authorization your API uses

You can then fill in your username and password and Postman will take care of the rest for you. If you switch to the Headers tab, you should see an Authorization header that looks something like this:

Postman Tutorial Chapter 2 - API Authorization in Postman

This header is how your username and password are given to the server. The Basic part of this tells the API that you are using basic auth. However, basic auth isn’t used that much anymore in APIs as there are other more secure and convenient ways to authorize API requests. 

Let’s take a look at a more common way to do API authorization, using an API key.

API Keys

A more common way to do API authorization than basic auth is with an API key. API keys are often preferred because they can be revoked if they are compromised and can be set up to have the precise permissions you want the user to have. In order to use an API key you first need to generate it! Most applications that use API keys will have some place that you can go to in order to generate a key to use. For example, in Github you can generate an API key by going to the setting for your user and then clicking on Developer Settings:

Postman Tutorial Chapter 2 - API Keys for API Authorization

You can then select the Personal access tokens option and generate a personal access token. 

The exact place where you can find and generate API tokens like this will differ from app to app, so look around the current app you are testing or ask the developers or others on the team where you can find it. Not all APIs provide this kind of functionality but many of the public ones will.  

Once you have an API key, you are ready to put it into Postman. In order to do that, you can once again go to the Authorization tab for the API request you want to send. This time choose the Bearer Token option from the Type drop down. You can then paste your API key into the Token field. If you switch to the Headers tab, you will see something that looks like this:

Postman Tutorial Chapter 2 - API Authorization in Postman

Note that this time instead of starting with Basic the authorization header starts with Bearer. This lets the API server know that you are using a key for authentication. API keys are a common way to authorize API requests, but let’s take a look at a slightly more involved method of API Authorization, using OAuth 2. 

OAuth 2

Strictly speaking, OAuth isn’t a way to authenticate, it’s a way to delegate permissions. Getting into the details of how it works goes beyond the scope of this tutorial, but if you do to test an API with OAuth, Postman can support you. At the end of the day, authorization with OAuth means you use an access token, much like the API key method discussed above. The difference is in how you get that key. Instead of just having it generated for you, you have to follow an OAuth flow in order to generate it. 

If you are trying to set this up for an API, you will want to read the API documentation or talk to someone who understands it, in order to figure out what flow you need to follow. Once you have your key, you can go to the Authorization tab in Postman for the request you are trying to authorize and set the type to OAuth 2.0. From there you can click on the Get New Access Token and fill in the appropriate details as given by the API documentation and you can then click on the Request Token button to get the token that you need. 


There are some other API types that you can set up in Postman, but these ones above are probably the most common. With this in hand you should be able to make requests to the API you are trying to test. Authorization in APIs can be a bit tricky when you are getting started, but Postman makes it straightforward to use. If the API you are currently testing doesn’t need authorization, challenge yourself a little and see if you can make calls to an API like GitHub or Twitter that do require it. You might be surprised at how quickly you can start using them when you are working with Postman.


About the author

Dave Westerveld

Dave Westerveld is an experienced tester who has been involved in various aspects of the testing role. As a strong exploratory tester, he has learned how to leverage many different tools to enhance his testing powers. He has also been involved in many automation projects including building out new automation frameworks. In addition he has helped transition several large and expensive automation suites into lighter weight, higher value systems. A speaker at several conferences, Dave also blogs about his thoughts and experiences at offbeattesting.com

Leave a Reply