Postman relies on string substitution to render environment values in the documentation. Use placeholder text for your API key’s value. Let’s walk through an example in which I share my API documentation publicly without leaking secrets. If you’re sharing Postman-generated documentation with your team, or especially publicly, make sure you don’t accidentally leak secrets. Current values are restricted to your session: When you’re working with a team, you can keep your private information as a current value so your team doesn’t have access to it. The current value is never synced to your account or shared with your team-unless you choose to persist it. If you log out and log back into Postman, those values will be gone. If someone with an environment editor role updates that initial value to v2 of the API like, the updated initial value is shared with the team:Ĭurrent values are restricted to your session within your Postman app. For example, if you want to share information like a base URL of for your API, those initial values will be accessible to the team. Initial values are accessible to your team in the workspace. Share the environment with your team by sharing it in a team workspace: Make sure “Automatically persist variable values” is toggled OFF in your general settings, so that you do not persist the current value of variables to the initial value: Let’s walk through an example in which I share an environment with my team without sharing my personal API key.
The current value is never synced to your account or shared with your team-unless you choose to persist it-which keeps it more secure. If you log out of Postman, those values will disappear. The current value is local to your session within your Postman app. This also ensures that you don’t override the team’s value.įor global, collection, and environment variables, you can distinguish between an initial and current value. If you’re sharing an environment with your team, keep your tokens private by only updating the current value. Let’s follow an example in which I use an API key stored as an environment variable.Ĭreate an environment and add an environment variable called api_key: Environment variables can be used in text fields with double curly braces, as you can see here with the Authorization tab: Environment variables can also be used in script fields using pm.environment.get(): #2: Do not share your API keys with your team (If environment variables aren’t ideal for your use case, you can also choose another type of variable.) Storing your API key as an environment variable allows you to revoke, or refresh, the value in a single spot. In the same way you use variables for parameterized data, you can also use variables to decouple your secrets from the rest of your code. Instead of hard-coding your API keys, you can store them as environment variables in Postman.
Reverb lp share code code#
#1: Do not embed your API keys directly in code Okay, let’s look at three ways to securely work with API keys.
Reverb lp share code full#
If you want to join along in Postman with more detailed explanations, import the full tutorial here and follow the step-by-step documentation. I’m going to reference the Postman tutorial called Securely Using API Keys.
Reverb lp share code how to#
To help you use API keys as effectively as possible, let’s walk through some common pitfalls we see come up, and learn how to handle sensitive data in Postman. If you work with APIs, then you already know there’s many ways to prove your identity and gain access to an API, such as API keys.
0 kommentar(er)
