How to securely handle sensitive data like passwords or tokens in Postman?
Last Updated :
24 Jul, 2025
When dealing with sensitive data like passwords or tokens, it's crucial to follow best practices to ensure the security of your applications. In this guide, we will walk you through the step-by-step process of securely handling sensitive data in Postman.
We will be receiving JSON data when sending GET request using an API which wil be stored in a variable. JSON stands for JavaScript Object Notation. It is a format for structuring data. This format is used by different web applications to communicate with each other.
Prerequisites:
Steps to Securely handle sensitive data like passwords or tokens in Postman:
In the below steps, we will take an free api endpoints for example.
`https://jsonplaceholder.typicode.com//posts%60
Step 1: Use Environment Variables
One of the key features of Postman is its support for environment variables. Instead of hardcoding sensitive information directly into your requests, use environment variables to store and manage this data centrally.
- Open Postman and create a new environment by clicking on the gear icon in the top right corner.
- Name your environment and add key-value pairs for each sensitive piece of data (e.g., password, API token or base url).
Since our endpoint do not require any API KEY so we make a varible named "base_url" and its value will be "https://jsonplaceholder.typicode.com/".
When your endpoint require for API KEY then you can create in similar way.
- Environment Name: New Enviroment1
- Variable: base_url : https://jsonplaceholder.typicode.com/
Case when your endpoint require API KEY :
Environment Name: MyAPIEnvironment2
Variables:
- API_KEY: your_api_key
- PASSWORD: your_password
Setting the variableStep 2: Reference Environment Variables in Requests
Now that you have set up your environment variables, it's time to reference them in your requests.
- In your request, use double curly braces to enclose the variable name, like `{{base_url}}` ( when request needs API KEY `{{API_KEY}}` or `{{PASSWORD}}` )
- Postman will automatically replace these placeholders with the values from your environment.
- Request URL : `{{base_url}}/posts`
- Request URL : `{{base_url}}/comments`
Example:(When your endpoint needs API KEY)
Request URL: `https://api.example.com/data?api_key={{API_KEY}}`
Hoe to use variable in requestStep 3: Use Secure Variables for Sensitive Data
Note: the endpoint which we have taken in our example do not require any API KEY. so ther is also an another for example which takes a API KEY. it is just for illustrating you how you will work will others endpoints too.
To add an extra layer of security, consider using Postman's secure variables for highly sensitive information. Secure variables are encrypted and provide an additional level of protection against unauthorized access.
- Open your environment where you have defined your variable.
- Click on the "Click on type" button.
- Select the option i.e. `secret`.
Example:
Environment Name: MyAPIEnvironment2
Variables:
- API_KEY: your_api_key
- PASSWORD: your_password (Secure)
In the below picture showed how you can do it.
Making the value secretVIDEO to show all the steps at once.
Similar Reads
How To Handle Sensitive Data In A Public Git Repo? Managing sensitive data is one of the most important when working with public Git repositories. Whether you're developing software, collaborating on open-source projects, or deploying code to production environments, handling sensitive information like API keys, passwords, and configuration files re
9 min read
How to secure database passwords in PHP? Most of the websites are providing sing up and login facility to the user. User has to create a password and use it for login to the website. But it is very important to secure the password of the user. password_hash() function provides the facility to securely store the password of the user to the
1 min read
How to link data files to requests in Postman for iterative testing? Postman may be beneficial when trying out APIs that require file uploads or while sending complicated JSON payloads. In this article, you will explore the way to upload documents in Postman and alternative approaches to make it well. Let's dive in.In the area of API testing and development, managing
2 min read
How to create and send POST requests in Postman? Postman is an API(application programming interface) development tool which helps to build, test and modify APIs. It can make various types of HTTP requests(GET, POST, PUT, PATCH), saving environments for later use, and convert save the API to code for various languages(like JavaScript, and Python).
2 min read
How to send different types of requests (GET, POST, PUT, DELETE) in Postman. In this article, we are going to learn how can we send different types of requests like GET, POST, PUT, and DELETE in the Postman. Postman is a popular API testing tool that is used to simplify the process of developing and testing APIs (Application Programming Interface). API acts as a bridge betwe
5 min read
How to Reset / Change Password in Node.js with Passport.js ? Resetting or changing passwords securely in Node.js applications using Passport.js typically involves a combination of strategies, including token generation, email communication, and password hashing. Let's go through the steps required to implement password reset functionality using these tools.Sy
4 min read