14. Advanced Authorization

Endpoints in enterprise software must be protected from unauthorized access. Before you can query a database, you must authenticate. To prevent you from having to manually construct complex authentication headers or run command-line cryptology operations, Postman includes a dedicated, highly robust **Authorization Engine**.

Supported Authorization Models

Postman supports almost all industry-standard authentication protocols natively under the **Auth** tab:

• Inherit Auth from Parent: Automatically copies authorization parameters from the folder or collection root. (Recommended best practice).
• API Key: Appends a secure key-value pair to either the request headers (e.g. `x-api-key: 12345`) or URL query parameters dynamically.
• Bearer Token: Appends an encrypted token prefixed with "Bearer " (e.g. `Authorization: Bearer xyz123`) to your request headers. Standard for JSON Web Token (JWT) environments.
• Basic Auth: Prompts you for a Username and Password, automatically compiles them into a base64-encoded string, and appends the header: `Authorization: Basic [base64_string]`.
• AWS Signature: Used to access Amazon Web Services endpoints. Postman prompts you for AccessKey and SecretKey and handles complex AWS HMAC-SHA256 signature generation automatically.
• OAuth 2.0: The gold standard for modern web application security. Postman contains a full OAuth client helper to acquire and refresh access tokens dynamically.

Automating OAuth 2.0 Token Generation

Acquiring an OAuth 2.0 access token manually involves multiple redirects, auth code copies, and curl exchanges. Postman automates this using its built-in browser helper:

1. Select **OAuth 2.0** in the Auth dropdown.
2. Scroll down to **Configure New Token** and fill in your client credentials:
   • Grant Type: (e.g. Authorization Code, Client Credentials, or Implicit).
   • Callback URL: (Postman provides a secure loopback URL `https://oauth.pstmn.io/v1/callback`).
   • Auth URL: The server's login endpoint.
   • Access Token URL: The server's token exchange endpoint.
   • Client ID & Client Secret: Copied from your API provider settings.
3. Click the orange **Get New Access Token** button.
4. Postman opens an integrated web page prompting you to login. Enter credentials and click Authorize.
5. Postman automatically catches the redirect code, exchanges it for a secure token, and saves it. Click **Use Token** to apply it globally!

Dynamic Token Refresh via Test Scripts

Access tokens expire (often in 1 hour). If your tests fail because the token is dead, you can automate token refreshes in your **Pre-request Script** using pm.sendRequest() to fetch a new token before running your requests:

// Pre-request Script: Check and Refresh OAuth Token
const tokenExpiry = pm.globals.get("oauth_expiry");

// If token is missing or expired, fetch a new one
if (!tokenExpiry || Date.now() > Number(tokenExpiry)) {
    pm.sendRequest({
        url: "https://api.authserver.com/oauth/token",
        method: "POST",
        header: {
            "Content-Type": "application/x-www-form-urlencoded"
        },
        body: {
            mode: "urlencoded",
            urlencoded: [
                { key: "grant_type", value: "client_credentials" },
                { key: "client_id", value: pm.variables.get("clientId") },
                { key: "client_secret", value: pm.variables.get("clientSecret") }
            ]
        }
    }, function (err, res) {
        if (!err) {
            let response = res.json();
            pm.globals.set("accessToken", response.access_token);
            // Save expiry offset (e.g., 3600 seconds)
            pm.globals.set("oauth_expiry", Date.now() + (response.expires_in * 1000));
            console.log("OAuth Access Token refreshed successfully!");
        }
    });
}