Protecting the client secrets and client id of production apis in POSTMAN

Question

My company has a strict compliance policy with respect to protecting the client secrets and passwords of azure active directory client apps(client secret for aad app) and service accounts (passwords). However during bug fixing in production or replicating issues on production code or active debugging, we need to debug the production code by passing these credentials from postman or fiddler. Is it safe to save these keys in Postman and share it by generating a public url? Is there any way of sharing it from postman to a specific set of users? Or is there any better way of sharing the API requests with set of users.

Answer 1

You can invite someone to postman workspace using thier email Id, sharing public collection url is not safe anyone with url can access that

Other way is to download collection and environment as json and send that json file instead .

There is no way to mask secrets as even if you store it in variable , the secret will be exposed in postman console

https://learning.postman.com/docs/collaborating-in-postman/sharing/

to invite to workspace :

1. Create a workspace :

2. Invite someone to workspace

select team, type the user's email id you want to invite , click add , then click create workspace. A mail will be send to the user's email through which user can join workspace.

3. now share that collection to or environment to that workspace