Postman API Key
Service Name: Postman
Service Description: Postman is an API platform for building and using APIs. It simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs-faster.
Service Address: https://www.postman.com/
Validation Type: API Auth
IP Allow list: IP restrictions can be configured at the team level for Postman Enterprise plans.
Secret Access Scope: Grants programmatic access to Postman API, allowing users to manage collections, environments, workspaces, and run API requests.
Secret Revokement URL: https://go.postman.co/settings/me/api-keys
Secret Example: PMAK-5e5ea45f30d235004b192cb4-c10649237ce9ffa3b778b55f5b3e9a1234
Suspicious Activity Investigation Instructions:
- Review Postman activity logs for unusual API calls or collection access.
- Check for unauthorized workspace access or collection modifications.
- Monitor for unexpected API requests or automated runs.
- Verify if the API key was used from unusual geographic locations.
- Check for unexpected team member additions or permission changes.
Mitigation Instructions:
- Log in to your Postman account at https://go.postman.co/.
- Navigate to your account settings by clicking on your avatar in the top right corner.
- Select "API Keys" from the settings menu.
- Locate the compromised API key in the list.
- Click the "Revoke" button next to the key to immediately invalidate it.
- Generate a new API key if needed for legitimate use cases.
- Update any applications or services using the old key with the new one.
- Consider implementing IP restrictions for your Postman account if available on your plan.