While the request editor is powerful enough to construct any kind of requests, sometimes you might need some help. Postman has “helpers”, which can simplify some repetitive and complex tasks. The current set of helpers let you deal with authentication protocols easily. You can use environment variables with all helpers.
You can choose to save helper data to collection requests. This will cause the signature to be regenerated each time. These helpers will even work in Newman!
Update: Starting with Postman 5.3, you will notice a few changes around the request authorization flows. Postman has updated the authorization framework to improve existing authorization types, like OAuth 2.0, and also introduced new authorization types, like NTLM. Additionally, there is no need to manually update the request. If you want to inspect the authorization headers and parameters that Postman generates, you can use the Preview Request button. Alternatively, inspect the Postman console to get a raw dump of the entire request after it is sent.
Enter the username and password fields and hit “Update Request” to generate the authorization header.
Digest auth is more complicated than basic auth and uses the values currently set in the request to generate the authorization header. Make sure they are set properly before you generate the header. Postman will remove the existing header if it’s already present.
Postman’s OAuth helper lets you sign requests which support OAuth 1.0a based authentication. Currently, it does not let you acquire the access token. That’s something you would need from the API provider. The OAuth 1.0 helper can set values in either the header or as query parameters.
As subsequent OAuth requests might expect a different nonce value, Postman can refresh the OAuth signature just before the request is sent if auto add parameters is enabled.
The OAuth 1.0 spec is quite complicated and there are many variations. Postman tries to support as many of those variations as possible but if something does not work for you, file an issue on Github. These are few of the options that we’ve included:
If this checkbox is enabled, params are added to the header. If not, the URL params for a GET request, and the request body for POST/PUT requests.
Some implementations of OAuth1.0 require empty parameters to be added to the signature.
Postman supports getting the OAuth 2.0 token as well as adding it to requests really easily. To get an access token from an OAuth 2.0 provider, follow these steps:
https://www.getpostman.com/oauth2/callbackas the Callback URL.
Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.
Read more on the Hawk Github page.
AWS users have to use a custom HTTP scheme based on a keyed-HMAC (Hash Message Authentication Code) for authentication. Postman supports this out of the box.
Read more about the AWS Signature on AWS documentation: