Postman

How to automatically set a Bearer Token for your Postman requests

I love using Postman but it is a pain having to remember to enter a valid Bearer Token. The following is a Javascript pre-request I’ve used to automate the process.

Background

I’m using Auth0 for auth. My app consists of a Vue.js SPA and a .NET Core API.

Pretty much every endpoint in my API requires authentication. As I write each endpoint in my API I’m writing a Postman request so I can test it.

I have a Postman request to Auth0 to request a token.

To date I’ve been manually entering that token whenever I wanted to use an API endpoint. As you can imagine, this isn’t effective.

I just want my requests to always use a valid bearer token!

2018-03-18_20-45-41
My tests so far. Notice they’re all under a collection

Step 1 – Create some variables

We to create two variables:

  1. Current bearer token
  2. Expiry date of the above token

You need to think about the scope of the variables. They can be anywhere from a global (across any test you’ve got) to the individual test. Checkout this article about scope in Postman.

I’m choosing to create my variables relative to the collection.

  • Went to Ben’s API
  • Clicked the three dots to open the menu
  • Clicked Edit
  • Let’s jump straight into the Variables tab and create our two variables which I’ve called currentAccessToken and accessTokenExpiry

2018-03-18_20-54-35.png

Step 2 – the Pre-request Script

I went into Pre-request Scripts and wrote a script that does one of three things:

  • If the token or expiry date is missing I get a fresh token and set the value
  • If both variables are set but the expiry date is in the past I get a fresh token
  • If there is a token AND it’s valid (it’s only good for 24 hours) then do nothing

Here’s the code

A few things to note:

  • I put some console.log statements as Postman has a console and logging is always a good thing
  • I did put all my secrets in this script. I’m not crazy about that but Postman doesn’t have a solution for secrets management. I’m going to try and use a test account in Auth0 to mitigate any issues
  • You cannot call another Postman request from a script. That would have been really useful so instead I ended up writing this
  • You could should write some Tests under the test tab to confirm the token is set, it’s valid, etc. I haven’t yet got around to that

2018-03-18_21-06-05.png

Step 3 – Authorization Setup

In the Authorization tab I set the

  • Type to Bearer Token
  • Token to {{currentAccessToken}}. This is the token we created and set via the pre-request script

Step 4 – Use the token!

For all your API requests do the following

  • Go into the Authorization tab
  • Under Type select Inherit auth from parent

2018-03-18_21-09-35.png

You’re done!

But wait there’s more – Console and View the variables

In the top right-hand corner there is an eye icon. If you click it you can see the current state of all your variables. You can also click Edit and change the contents.

2018-03-18_21-12-13.png

In the bottom-left corner is a console from which you can view all the logs you’ve written. I found it useful for debugging.

You can also use it to confirm that the pre-request script runs before each of your individual tests in your collection.

2018-03-18_21-14-29.png

12 comments

    1. I don’t know. Never used them. Could be something similar where you call a method(s) to get the value, which then gets save / used. Overall, the mechanism of writing a pre-request script could be the same but how you’d get it and populate it is something you’ll have to determine.

      Like

    1. Hi Ben,

      Thanks for such nice explanation.
      Actually I am using basic auth for authorization and it’s a get request.
      So how should I pass my user name and password with GET request.

      I tried some technique, but didnt get proper solution.

      Regards,
      Rajnish

      Like

      1. If it’s basic auth then it’s really easy. You don’t need this fancy system. You need to create two variables, for your username and password, and in your get request you pass those variables. In the top right of Postman you can create environments. In there you can definitely those two variables. Note that it would mean they’re just static but I assume that would be fine. Also, it would mean Postman would store that password so be careful about rhat

        Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s