So far we've been testing a public API — no login needed. In real life, almost every API requires authentication. You need to prove who you are before the server gives you data. Headers are how you do it.
| Header | Purpose | Typical Value |
|---|---|---|
| Content-Type | Format of the data YOU'RE sending | application/json |
| Accept | Format you WANT the response in | application/json |
| Authorization | Your identity/credentials | Bearer eyJhbGciOi... |
| X-API-Key | API key for service-to-service auth | sk_live_abc123... |
| User-Agent | Identifies your client | PostmanRuntime/7.32.3 |
| Cache-Control | Tells server about caching preference | no-cache |
| X-Request-ID | Unique ID for request tracing | req-uuid-here |
Content-Type describes what you're SENDING. Accept describes what you WANT. They can be different. You might send XML (Content-Type: application/xml) but want JSON back (Accept: application/json). Most of the time they're both application/json.
The most common auth in modern APIs. You log in, get a token, and send it with every request. The token proves who you are without sending your password each time.
First, send a POST to the login endpoint with username/password
Copy the token from the response
Go to your actual request > Authorization tab
Select "Bearer Token" from the dropdown
Paste the token in the Token field
Send your request — it now includes Authorization: Bearer <token>
// What Postman adds to your request header:
Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlByaXlhIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cSends username:password encoded in Base64. Simple but less secure. You'll see this in internal tools, staging environments, and older APIs.
Go to your request > Authorization tab
Select "Basic Auth" from the dropdown
Enter Username and Password
Postman encodes them and adds the header automatically
// What Postman adds:
Authorization: Basic cHJpeWE6cGFzc3dvcmQxMjM=
// That Base64 string decodes to: priya:password123
// Not encrypted — just encoded. NEVER use Basic Auth over HTTP (only HTTPS).Basic Auth sends your password in every request, encoded but NOT encrypted. Anyone sniffing the network can decode it. Always use HTTPS with Basic Auth. In production, prefer Bearer tokens or OAuth.
A simple key-value pair sent as a header or query parameter. Common for third-party services like weather APIs, payment gateways, and maps.
// API Key in header:
X-API-Key: sk_live_abc123def456
// API Key in query parameter:
GET https://api.weather.com/forecast?apikey=sk_live_abc123def456&city=Mumbai
// In Postman: Authorization tab > API Key > Key: X-API-Key, Value: your-key| Method | Security | Complexity | Common Use |
|---|---|---|---|
| Bearer Token | High — token expires, no password in transit | Medium | Web apps, mobile apps, SPAs |
| Basic Auth | Low — password in every request | Simple | Internal tools, staging, legacy |
| API Key | Medium — no expiry usually | Simple | Third-party services, public APIs |
| OAuth 2.0 | Very High — delegated access | Complex | Google, Facebook, GitHub login |
Instead of adding auth to each request manually, set it on the collection. Every request inside inherits it. Change the token once — all requests get the new token.
Click your collection name in the sidebar
Go to the "Authorization" tab
Select "Bearer Token" and paste your token
In each request, set Authorization to "Inherit auth from parent"
Now all requests use the collection's token automatically
Key Point: Set auth at the collection level. Individual requests inherit it. When the token expires, update it in ONE place. This saves you from updating 50 requests manually.
Q: What types of authentication have you worked with in API testing?
A: Primarily Bearer tokens (JWT) — the user logs in, gets a token, and includes it in the Authorization header for subsequent requests. I've also used Basic Auth for internal staging APIs and API Keys for third-party services. In Postman, I set auth at the collection level so all requests inherit it. For automated tests, I extract the token from the login response and pass it dynamically using environment variables.
Q: What happens when you send a request without authentication?
A: The server returns 401 Unauthorized. It means "I don't know who you are." The response usually includes a WWW-Authenticate header telling you what auth method to use. If you send a valid token but don't have permission for that specific endpoint, you get 403 Forbidden instead. Every protected endpoint should be tested with no auth, expired auth, and wrong-role auth.
Key Point: Bearer Token is the standard. Basic Auth is for legacy. API Key is for third-party services. Set auth at the collection level to save time.