Understanding bearer tokens when using Postman and not using Postman?

Question

I am trying to integrate a third party API. I was provided with a username and password.

When I use Postman to send a post request to the login webpage; the request header contains a postman token:

Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value

If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:

If I access the api through my webpage, then everything also works as expected. My questions are:

1. What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
2. What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?

Answer 1

Postman Token :

So it is just a custom header to track and debug postman requests in the receiving server

It doesn't do any authorization

Why no token in fiddler:

Because you haven't added it . You can add any custom header to the request you are sending

Why it works when used as bearer token

Because in your login call your session is cached . So for subsequent requests it is using cached session

To close the session , update the Connection header from keep-alive to close

Try setting second request to no auth:

and see if the request is still successful to confirm you are using cached session