Like many others, I like to use Postman when building and testing an API. One challenge with Postman is deciding how to authenticate your requests, something I’ve dealt with on a recent project. The more I’ve used it, the more ways I’ve tried to tackle this problem. Here’s a solution I found that works well.
On my project, we have an API that grants and uses OAuth2 access tokens for authentication (with no refresh token). In our Postman Collection, we can take advantage of collection-level authorization so that we don’t have to configure it request by request. After right-clicking to edit our Collection and navigating to the Authorization tab, we can select the OAuth 2.0 type from the dropdown and be presented with this:
If we plug in our appropriate credentials and click “Get New Access Token” and then “Update,” we’ll be all set up for our requests. (Learn more about this functionality.)
The only remaining step is to ensure that each request needing authorization is set to inherit auth from parent (meaning the collection):
This is all well and good, but there’s one catch: our token can’t automatically refresh. On my project, the token would expire after fifteen minutes — enough time to get the token once and try out a few requests, but a pain for longer sessions. It was annoying to continually get a new token through the process above. So how can we automate it?
You may have noticed that when editing the Collection, alongside the Authorization tab there was a tab called Pre-Request Scripts. We can take advantage of this to make sure we always have a valid token before requests. This is what I have in my collection’s “Pre-request Scripts”:
So what’s going on here? I’m taking advantage of a few things. In the script, I’m using Postman’s global variables to track some important things, including the client_id, client_secret, and grant_type, which I need for the body of the authorization request. The other two are variables for the auth token itself and the expiration time of that token.
In the beginning of the script, I’m checking to see if I have an existing expiration time and how much of a difference (in seconds) there is between that time and the time the script is called. If we’re at or below a thirty-second difference (arbitrarily chosen), then we fulfill the condition for the main part of the script.
Using Postman’s pm object, I then build a call to send a request, supplying the appropriate url, method, headers, and body. Upon success, I parse the response to assign the new token and its expiry time to the right variables. (Learn more about Postman’s JavaScript scripting.)
And that’s it! The only step left is to change the authorization type in our requests. We can just set the type to Bearer Token and provide our variable as the value, like this:
Now whenever we hit “Send” on one of our requests in this Collection, the Pre-request Script will run, checking if it’s time to find a new token and making the request if necessary. Neat!
My script is a bit sloppy, but in the process of writing it, I found that there are quite a few interesting things you can do with Postman if you put in the effort. Handling authorization like this is just one possibility.
I’m always interested in learning more, so let me know if you have any handy tips for using Postman more effectively!