Sending JWT token in the headers with Postman

Question

I'm testing an implementation of JWT Token based security based off the following article. I have successfully received a token from the test server. I can't figure out how to have the Chrome POSTMAN REST Client program send the token in the header.

My questions are as follows:

1) Am I using the right header name and/or POSTMAN interface?

2) Do I need to base 64 encode the token? I thought I could just send the token back.

Answer 1

You first need to get your access token by making a call to whatever endpoint provides the token (as I assume you already did). Then you use that token in the Postman request you want to send, by adding a Header. For Postman v10.21.11:

Header should have "Authorization" as key and the value should be the string "Bearer " followed by the access token provided to you. Keep in mind a couple things:

• The access token consists of 3 parts separated by dots "." and you should include all 3 parts.
• "Bearer" needs to be just like that. Don't change capitalization.
• The token might have a very short expiration time (depending on what was configured for that endpoint) so you might need to obtain a new token quite often if that time is short.

Answer 2

x-access-token on headers works for me.

key: x-access-token
value: token

Answer 3

In Postman latest version(7++) may be there is no Bearer field in Authorization So go to Header tab

select key as Authorization and in value write JWT

Answer 4

Everything else ie. Params, Authorization, Body, Pre-request Script, Tests is empty, just open the Headers tab and add as shown in image. Its the same for GET request as well.

Answer 5

If you wish to use postman the right way is to use the headers as such

key: Authorization

value: jwt {token}

as simple as that.

Answer 6

1. Open postman.
2. go to "header" field.
3. there one can see "key value" blanks.
4. in key type "Authorization".
5. in value type "Bearer(space)your_access_token_value".

Done!

Answer 7

Here is an image if it helps :)

Update:

The postman team added "Bearer token" to the "authorization tab":

Answer 8

For people who are using wordpress plugin Advanced Access Manager to open up the JWT Authentication.

The Header field should put Authentication instead of Authorization

AAM mentioned it inside their documentation,

Note! AAM does not use standard Authorization header as it is skipped by most Apache servers. ...

---

Hope it helps someone! Thanks for other answers helped me alot too!!

Answer 9

Here is how to set token this automatically

On your login/auth request

Then for authenticated page

Answer 10

I did as how moplin mentioned .But in my case service send the JWT in response headers ,as a value under the key "Authorization".

Authorization →Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbWFsIiwiZXhwIjoxNDk4OTIwOTEyfQ.dYEbf4x5TGr_kTtwywKPI2S-xYhsp5RIIBdOa_wl9soqaFkUUKfy73kaMAv_c-6cxTAqBwtskOfr-Gm3QI0gpQ

What I did was ,make a Global variable in postman as

key->jwt
value->blahblah

in login request->Tests Tab, add

postman.clearGlobalVariable("jwt");
postman.setGlobalVariable("jwt", postman.getResponseHeader("Authorization"));

in other requests select the Headers tab and give

key->Authorization

value->{{jwt}}

Answer 11

Somehow postman didn't work for me. I had to use a chrome extension called RESTED which did work.

Answer 12

I had the same issue in Flask and after trying the first 2 solutions which are the same (Authorization: Bearer <token>), and getting this:

{
    "description": "Unsupported authorization type",
    "error": "Invalid JWT header",
    "status_code": 401
}

I managed to finally solve it by using:

Authorization: jwt <token>

Thought it might save some time to people who encounter the same thing.

Answer 13

I am adding to this question a little interesting tip that may help you guys testing JWT Apis.

Its is very simple actually.

When you log in, in your Api (login endpoint), you will immediately receive your token, and as @mick-cullen said you will have to use the JWT on your header as:

Authorization: Bearer TOKEN_STRING

Now if you like to automate or just make your life easier, your tests you can save the token as a global that you can call on all other endpoints as:

Authorization: Bearer {{jwt_token}}

On Postman: Then make a Global variable in postman as jwt_token = TOKEN_STRING.

On your login endpoint: To make it useful, add on the beginning of the Tests Tab add:

var data = JSON.parse(responseBody);
postman.clearGlobalVariable("jwt_token");
postman.setGlobalVariable("jwt_token", data.jwt_token);

I am guessing that your api is returning the token as a json on the response as: {"jwt_token":"TOKEN_STRING"}, there may be some sort of variation.

On the first line you add the response to the data varibale. Clean your Global And assign the value.

So now you have your token on the global variable, what makes easy to use Authorization: Bearer {{jwt_token}} on all your endpoints.

Hope this tip helps.

---

EDIT
Something to read

About tests on Postman: testing examples

Command Line: Newman

CI: integrating with Jenkins

Nice blog post: master api test automation

Answer 14

For the request Header name just use Authorization. Place Bearer before the Token. I just tried it out and it works for me.

Authorization: Bearer TOKEN_STRING

Each part of the JWT is a base64url encoded value.