How to automatically set a Bearer Token for your Postman requests

I love using Postman but it is a pain having to remember to enter a valid Bearer Token. The following is a Javascript pre-request I’ve used to automate the process.


I’m using Auth0 for auth. My app consists of a Vue.js SPA and a .NET Core API.

Pretty much every endpoint in my API requires authentication. As I write each endpoint in my API I’m writing a Postman request so I can test it.

I have a Postman request to Auth0 to request a token.

To date I’ve been manually entering that token whenever I wanted to use an API endpoint. As you can imagine, this isn’t effective.

I just want my requests to always use a valid bearer token!

My tests so far. Notice they’re all under a collection

Step 1 – Create some variables

We to create two variables:

  1. Current bearer token
  2. Expiry date of the above token

You need to think about the scope of the variables. They can be anywhere from a global (across any test you’ve got) to the individual test. Checkout this article about scope in Postman.

I’m choosing to create my variables relative to the collection.

  • Went to Ben’s API
  • Clicked the three dots to open the menu
  • Clicked Edit
  • Let’s jump straight into the Variables tab and create our two variables which I’ve called currentAccessToken and accessTokenExpiry


Step 2 – the Pre-request Script

I went into Pre-request Scripts and wrote a script that does one of three things:

  • If the token or expiry date is missing I get a fresh token and set the value
  • If both variables are set but the expiry date is in the past I get a fresh token
  • If there is a token AND it’s valid (it’s only good for 24 hours) then do nothing

Here’s the code

A few things to note:

  • I put some console.log statements as Postman has a console and logging is always a good thing
  • I did put all my secrets in this script. I’m not crazy about that but Postman doesn’t have a solution for secrets management. I’m going to try and use a test account in Auth0 to mitigate any issues
  • You cannot call another Postman request from a script. That would have been really useful so instead I ended up writing this
  • You could should write some Tests under the test tab to confirm the token is set, it’s valid, etc. I haven’t yet got around to that


Step 3 – Authorization Setup

In the Authorization tab I set the

  • Type to Bearer Token
  • Token to {{currentAccessToken}}. This is the token we created and set via the pre-request script

Step 4 – Use the token!

For all your API requests do the following

  • Go into the Authorization tab
  • Under Type select Inherit auth from parent


You’re done!

But wait there’s more – Console and View the variables

In the top right-hand corner there is an eye icon. If you click it you can see the current state of all your variables. You can also click Edit and change the contents.


In the bottom-left corner is a console from which you can view all the logs you’ve written. I found it useful for debugging.

You can also use it to confirm that the pre-request script runs before each of your individual tests in your collection.



    1. I don’t know. Never used them. Could be something similar where you call a method(s) to get the value, which then gets save / used. Overall, the mechanism of writing a pre-request script could be the same but how you’d get it and populate it is something you’ll have to determine.


    1. Hi Ben,

      Thanks for such nice explanation.
      Actually I am using basic auth for authorization and it’s a get request.
      So how should I pass my user name and password with GET request.

      I tried some technique, but didnt get proper solution.



      1. If it’s basic auth then it’s really easy. You don’t need this fancy system. You need to create two variables, for your username and password, and in your get request you pass those variables. In the top right of Postman you can create environments. In there you can definitely those two variables. Note that it would mean they’re just static but I assume that would be fine. Also, it would mean Postman would store that password so be careful about rhat


  1. Well explained. Have a question though. What if I have to add multiple headers while requesting tokens from OAuth.

    const echoPostRequest = {
    url: ‘’,
    method: ‘POST’,
    header: ‘Content-Type:application/json’,(How to add Authorization here?)
    body: {
    mode: ‘application/json’,
    raw: JSON.stringify(


  2. I have a question regarding the authentication key. I am kinda new to api testing and trying to automate this bearer token.
    So when I hit POST request with my user credential In response I will get the user information and in Headers I get authorization key as Set-Authentication : key .

    How can I get key from here and pass it to pre- script. I tried following your solution but it’s taking response body into consideration. appreciate your help.



  3. Hi,
    for some reason your code didn’t work for me. I had to change the body in this way:

    body: {
    mode: ‘urlencoded’,
    urlencoded: [
    {key: “grant_type”, value: “client_credentials”, disabled: false},
    {key: “client_id”, value: “”, disabled: false},
    {key: “client_secret”, value: “”, disabled: false},
    {key: “resource”, value: “”, disabled: false}

    This works for me.



  4. Hey Ben,

    What if the Authorization request is POST and the Authorization using Basic Auth sign. How can we refer them in the Pre-req part of the API


  5. Hi! Just wanted to give you a big thanks for putting this guide together. No more constantly regenerating and pasting tokens! You’ve saved us all a lot of time and hassle.


  6. Hi,

    Thanks for sharing this code I managed to get it working by changing the mode from application/json to raw for the body, see below for example:

    “body”: {
    “mode”: ‘raw’,



  7. This really helped speed up with regards to the Access Token. However it seems that I have an issue with the accessTokenExpiry in the script as it’s always reported as being missing ‘Token or expiry date are missing’.

    Not sure if it’s because I got the format wrong, but then again it doesn’t do too much harm with getting a new Access Token each time.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: