Why Secrets Leak from Postman Collections
The most common way credentials leak from Postman is by being typed directly into a request's Auth tab, URL, or body as literal text, which then gets bundled into every collection export, Git-synced workspace, or shared link. Because Postman collections are frequently exported as JSON for version control, documentation, or sharing with teammates, any literal secret embedded in a request travels with the file wherever it goes, including into public repositories if someone forgets to check.
Cricket analogy: Writing a locker room's alarm code directly on the printed team sheet handed to every journalist is like typing a real API key straight into a request — it travels with the document to everyone who gets a copy.
Variable Scopes and the Secret Type
Postman offers global, collection, environment, and local variable scopes, and since 2023 also a dedicated 'secret' variable type (in addition to 'default') that masks the value in the UI with dots and excludes it from collection sync exports and the Postman API by default. Storing a real token as a secret-typed environment variable and referencing it as {{access_token}} in the Auth tab means the request itself only ever contains a placeholder, not the live value.
Cricket analogy: Marking a variable as 'secret' is like a scorer keeping the actual locker combination in a sealed envelope in the pavilion office, while the public scoreboard only ever displays a placeholder like 'ACCESS GRANTED'.
// Environment variable configuration in Postman
Variable: access_token
Type: secret
Initial: (leave blank or use a placeholder)
Current: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
// Referenced in the Auth tab as:
// Bearer Token: {{access_token}}Sharing, Syncing, and Rotating Secrets Across a Team
When a workspace is synced to Postman's cloud or shared with teammates, secret-typed variable values are stored separately from the collection/environment definition and are not included when a collection is exported to JSON or forked, which prevents them from accidentally ending up in a Git repository if you version-control your exports. For team-wide secret distribution, Postman Vault (a local, encrypted secret store) or integrations with external secret managers let each team member resolve the same {{variable}} reference to their own locally stored value, so no one has to paste a shared password into the cloud workspace at all.
Cricket analogy: Postman Vault resolving the same variable to a different local value per teammate is like each broadcaster having their own personal accreditation number that all map to the same seat assignment, without anyone sharing a single universal pass.
Postman also supports a pre-request script pattern where you fetch a fresh token from a secrets manager or auth server at runtime and set it with pm.collectionVariables.set('access_token', token), keeping the real value out of any stored variable entirely between runs.
Fork history and old collection versions can retain previously committed literal secrets even after you replace them with a {{variable}}. If a real credential was ever hardcoded and shared, rotate it at the source — removing it from the current collection view does not invalidate a leaked value.
- The most common secret leak is typing a real credential directly into a request instead of using a variable reference.
- Postman's 'secret' variable type masks the value in the UI and excludes it from collection sync exports by default.
- Use {{variable}} references in the Auth tab, headers, or body instead of literal credential values.
- Postman Vault lets each teammate resolve the same variable name to their own locally stored, encrypted value.
- Secret-typed variables are excluded when a collection is exported to JSON or forked, reducing accidental exposure.
- Pre-request scripts can fetch and set a fresh token at runtime instead of storing it long-term as a variable.
- Always rotate a credential at its source if it was ever hardcoded and shared, since removing it later doesn't invalidate the leak.
Practice what you learned
1. What is the most common way credentials accidentally leak from a Postman collection?
2. What does marking a Postman variable as type 'secret' do?
3. How does Postman Vault help teams share collections that require credentials?
4. If a real API key was accidentally hardcoded into a request and later replaced with a {{variable}} reference, what should you do?
5. What is one way to avoid storing a long-lived secret as a Postman variable at all?
Was this page helpful?
You May Also Like
Basic and Bearer Token Auth
Learn how HTTP Basic Authentication and Bearer Token Authentication work, and how to configure each correctly in Postman's Authorization tab.
OAuth 2.0 in Postman
Understand the OAuth 2.0 authorization framework and how to configure grant types, token retrieval, and token refresh using Postman's OAuth 2.0 Authorization tab.
API Keys and Custom Headers
Learn how to authenticate requests using API keys and how to work with custom HTTP headers in Postman, including placement options and common conventions.