Skip to content

Postman API Key

Service Name: Postman

Service Description: Postman is an API platform for building and using APIs. It simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs-faster.

Service Address: https://www.postman.com/

Validation Type: API Auth

IP Allow list: IP restrictions can be configured at the team level for Postman Enterprise plans.

Secret Access Scope: Grants programmatic access to Postman API, allowing users to manage collections, environments, workspaces, and run API requests.

Secret Revokement URL: https://go.postman.co/settings/me/api-keys

Secret Example: PMAK-5e5ea45f30d235004b192cb4-c10649237ce9ffa3b778b55f5b3e9a1234

Suspicious Activity Investigation Instructions:

  • Review Postman activity logs for unusual API calls or collection access.
  • Check for unauthorized workspace access or collection modifications.
  • Monitor for unexpected API requests or automated runs.
  • Verify if the API key was used from unusual geographic locations.
  • Check for unexpected team member additions or permission changes.

Mitigation Instructions:

  • Log in to your Postman account at https://go.postman.co/.
  • Navigate to your account settings by clicking on your avatar in the top right corner.
  • Select "API Keys" from the settings menu.
  • Locate the compromised API key in the list.
  • Click the "Revoke" button next to the key to immediately invalidate it.
  • Generate a new API key if needed for legitimate use cases.
  • Update any applications or services using the old key with the new one.
  • Consider implementing IP restrictions for your Postman account if available on your plan.