Skip to content
Gallery
Handbook Backend
Huvudmoment
API-gränssnitt
Protokoll
Säkerhet
Databaskoppling
Fullstack
Agilt Arbetssätt
(Extra)
More
Share
Explore
JWT

JWT I Postman

Save the JWT as a variable

You could copy the access token from the response to use in your next request, but it’s tedious to do it for every request you want to authorize.
Instead, let’s save the JWT as a variable so that we can reuse the token over and over again in future requests. Create a new
environment
. Under the Tests tab, save the access token
as an environment variable
with pm.environment.set(), and re-run the request.
Save the access token as an environment variable under the Tests tab
Under the Quick Look icon, we can see that our JWT is saved as an environment variable. Now we can use our token in subsequent requests.
JWT saved as an environment variable

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#add-jwt-to-headers-in-postman
Add JWT to headers in Postman

There are 2 ways to send your JWT to authorize your requests in Postman: adding a header or using an authorization helper.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-1-add-an-authorization-header
Option 1: add an authorization header

The first option is to add a header. Under the Headers tab, add a key called Authorization with the value Bearer <your-jwt-token>. Use the double curly brace syntax to swap in your token’s variable value.
If your authorization accepts a custom syntax, you can manually tweak the prefix here (e.g. Token <your-access-token> instead of Bearer <your-access-token).
Option 1: add a header

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-2-use-an-authorization-helper
Option 2: use an authorization helper

The second option is to use an authorization helper. Under the Authorization tab, select the Bearer Token authorization type. Use the double curly brace syntax to swap in your token’s variable value.
Option 2: use an Authorization helper
Click the orange Preview Request button to see a temporary header has been added under the Headers tab. This temporary header is not saved with your request or collection.
Option 2: generates temporary headers
What’s the difference between these 2 approaches? The approach you use should depend on how you’re planning to use it.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-1-add-an-authorization-header
Option 1: add an authorization header

User can tweak the prefix (e.g. Token <your-access-token> instead of Bearer <your-access-token>).
Authorization header is displayed explicitly in the
API documentation
.
With both of these options, you can share the request and collection with your teammates. Header is saved with the request and collection under the header property.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-2-use-an-authorization-helper
Option 2: use an authorization helper

Can set authorization at the collection-, folder-, or request-level. Easy to set up the same authorization method for every request inside the collection or folder.
With both of these options, you can share the request and collection with your teammates. Authorization is saved under the auth property.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#scripts-to-check-token-expiration
Scripts to check token expiration

JWT tokens don’t live forever. After a specified period of time, they expire and you will need to retrieve a fresh one.
Once again, there are 2 approaches for checking the expiration of your JWT. The approach you use choose will depend on your specific circumstances.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-1-separate-request-at-the-beginning-of-the-collection
Option 1: Separate request at the beginning of the collection

This option is ideal if you’re working with a small collection that runs quickly, or you have a long-lived token that is not likely to expire by the end of the
collection run
. In this case, create an initial request at the beginning of the collection to retrieve and store the token. You can use the same token value throughout the remainder of your collection run.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#option-2-prerequest-script-to-run-before-each-request
Option 2: Pre-request script to run before each request

Check for token expiration before sending your request
This option is good if you’re working with a large collection that might take a while to run, or you have a short-lived token that could expire soon. In this case, add some logic in a
pre-request script
to check if the current token is expired. If the token is expired, get a fresh one (e.g. using
pm.sendRequest()
) and then reset your new token’s time to live. With this approach, remember that you can use a collection- or folder-level script to run this check prior to every request in the collection or folder.

https://dev.to/loopdelicious/using-jwt-to-authenticate-and-authorize-requests-in-postman-3a5h#sessions-to-keep-stuff-private
Sessions to keep stuff private

Say that you saved your JWT as a Postman environment variable, and you shared the environment with your teammates because you’re collaborating on a project. Can you keep stuff private, so that your teammates don’t have access to it?
Yes, you can!
Sessions
are an additional layer within the Postman app that stores variable values locally. By default, sessions do not sync with Postman servers. Changes captured in the individual session remain local to your Postman instance, unless you explicitly sync to the cloud.
Go to your Settings, and toggle off “Automatically persist variable values”.
Under your Settings, toggle off “Automatically persist variable values”
Now when you send a request and set a variable, the CURRENT VALUE is populated. You can think of this as a value that’s stored in a local session.
Current values are stored in the local session
If you want to share this value with your teammates or sync it to the Postman servers, this requires another step to to explicitly sync to the cloud. To sync all of your Current Values to the Initial Values, click Persist All. To sync only a single Current Value to the Initial Value, copy and paste the value from the 3rd column to the second column.
Persist your local changes and sync to the cloud
Session variables allow you to reuse data and keep it secure while working in a collaborative environment. They allow you more granular control over syncing to the server or sharing information with your teammates. Learn more about
sessions
or watch
a video about working with sessions
.
Want to print your doc?
This is not the way.
Try clicking the ⋯ next to your doc name or using a keyboard shortcut (
CtrlP
) instead.