Postman has powerful built-in auth handling. Most testers only use the header approach. But Postman can inherit auth from collections, auto-refresh tokens, and manage different auth types — all without writing code in every request.
Instead of setting auth on every request, set it on the COLLECTION. Every request inside the collection inherits it. This is the single most useful Postman feature for API testing.
Click on your collection name in the sidebar
Go to the Authorization tab
Select "Bearer Token" as the type
Enter {{authToken}} as the value
Every request inside this collection now uses this token
Individual requests can override by setting their own auth
Folders within the collection can have different auth too
Set auth on the collection. Set individual requests to "Inherit auth from parent." For public endpoints that need no auth, set the request auth to "No Auth." This keeps your collection clean and DRY.
The most annoying thing in Postman is when your token expires mid-testing. You have to stop, hit the login endpoint, copy the token, paste it in the variable. Here is a pre-request script that does it automatically.
// Add this as a Pre-request Script at the COLLECTION level
// It runs before EVERY request in the collection
const tokenExpiry = pm.environment.get("tokenExpiry");
const currentTime = Date.now();
// Check if token is missing or expired
if (!pm.environment.get("authToken") || !tokenExpiry || currentTime > parseInt(tokenExpiry)) {
console.log("Token missing or expired. Fetching new token...");
pm.sendRequest({
url: pm.environment.get("baseUrl") + "/auth/login",
method: "POST",
header: {
"Content-Type": "application/json"
},
body: {
mode: "raw",
raw: JSON.stringify({
email: pm.environment.get("testEmail"),
password: pm.environment.get("testPassword")
})
}
}, function (err, response) {
if (err) {
console.error("Login failed:", err);
return;
}
if (response.code !== 200) {
console.error("Login returned " + response.code);
return;
}
const jsonResponse = response.json();
const token = jsonResponse.token;
const expiresIn = jsonResponse.expiresIn || 3600; // default 1 hour
// Save token
pm.environment.set("authToken", token);
// Set expiry with 5-minute buffer
const expiryTime = currentTime + ((expiresIn - 300) * 1000);
pm.environment.set("tokenExpiry", expiryTime.toString());
console.log("New token saved. Expires in " + (expiresIn - 300) + " seconds.");
});
} else {
const remainingSeconds = Math.floor((parseInt(tokenExpiry) - currentTime) / 1000);
console.log("Token valid. Expires in " + remainingSeconds + " seconds.");
}| Variable | Value | Purpose |
|---|---|---|
| baseUrl | https://api.example.com | API base URL |
| testEmail | testuser@example.com | Login email |
| testPassword | Test@1234 | Login password |
| authToken | (auto-filled by script) | Current JWT token |
| tokenExpiry | (auto-filled by script) | Token expiry timestamp |
Never use "Initial Value" for passwords in Postman environments. Use "Current Value" only. "Initial Value" gets synced to Postman cloud and shared with your team. "Current Value" stays local on your machine.
| Auth Type | Postman Setting | When to Use |
|---|---|---|
| No Auth | Auth tab → No Auth | Public endpoints, negative tests |
| API Key | Auth tab → API Key | Third-party APIs like weather, maps |
| Basic Auth | Auth tab → Basic Auth | Internal tools, legacy APIs |
| Bearer Token | Auth tab → Bearer Token | Modern APIs with JWT |
| OAuth 2.0 | Auth tab → OAuth 2.0 | Google, GitHub, social login APIs |
// Test 1: Verify endpoint without auth returns 401
// Set request auth to "No Auth"
pm.test("No auth returns 401", function () {
pm.response.to.have.status(401);
});
// Test 2: Verify expired token returns 401
// Manually set authToken to an expired JWT
pm.test("Expired token returns 401", function () {
pm.response.to.have.status(401);
const json = pm.response.json();
pm.expect(json.error).to.exist;
});
// Test 3: Verify wrong role returns 403
// Use a user token to hit an admin endpoint
pm.test("Wrong role returns 403", function () {
pm.response.to.have.status(403);
});
// Test 4: Verify response does not leak sensitive data
pm.test("No sensitive data in response", function () {
const body = pm.response.text();
pm.expect(body).to.not.include("password");
pm.expect(body).to.not.include("secret");
pm.expect(body).to.not.include("stack trace");
});
// Test 5: Verify correct error structure
pm.test("Error response has standard structure", function () {
const json = pm.response.json();
pm.expect(json).to.have.property("error");
pm.expect(json.error).to.be.a("string");
});Key Point: Set auth at the collection level and let requests inherit it. Use pre-request scripts to auto-refresh tokens. Use "Current Value" for secrets, never "Initial Value." Create separate folders for admin vs user vs public requests.
Q: How do you handle authentication in Postman for a large collection?
A: I set Bearer Token auth at the collection level with a variable like {{authToken}}. I add a pre-request script at the collection level that checks token expiry and auto-refreshes if needed. All requests inherit auth from the collection. For admin-specific endpoints, I create a folder with a different token variable. For public endpoints, I set auth to "No Auth" at the request level. Environment variables store credentials — always in "Current Value", never "Initial Value" to avoid syncing secrets to Postman cloud.
Key Point: Collection-level auth with auto-refresh is the professional way to handle auth in Postman. Let requests inherit. Override only when needed.