Authorization types in Postman including No Auth, Basic Auth, Digest Auth, Bearer Token, OAuth

Sunil Sharma
Last Updated: May 13, 2022
Difficulty Level :


Authorization is a process in which we provide access to someone to read or manipulate the data. By authorization, we provide different privileges to different types of users.


Authorizing your requests before sending them to the server is the need of the hour. Authorizing your requests provides you safer access to your data, and in this way, you become sure then no third party is stealing or manipulating your data. You can choose one among many ways in which you can provide authorization to your request. One way is sending a token; the other is sending an API key and many more.


The term API stands for “Application Programming Interface.” By using an API, you can expose your application data and functionalities to third-party developers.


In this blog, we will teach you the most frequently used authorization types in Postman. So, let’s discuss these schemes one by one.

API Key Method 

As the name suggests, we have one key and one value related to that key in this method.

You have to choose between request headers and query parameters to send your key value to the API. If you want extra security, then there is an option of storing your values in variables.



Steps to provide authorization with API Key Method are as follows.

  1. Select the API Key option from the list in the request Authorization tab
  2. Enter your key in the dialogue box in front of “Key.”
  3. Enter the value corresponding to your key in the dialogue box in front of “value.”
  4. Select between Header and Query params from the list.

Bearer token Method

If you want to authorize your request using the Bearer token method, you first have to get a token, a text string that you will get using JSON Web Token (JWT).


Steps to provide authorization with the Bearer token Method are as follows.

  1. Select the Bearer token option from the list in the request Authorization tab.
  2. Enter your token value  in the dialogue box in front of “Token.”



You have to write “Bearer” before the token value in the Authorization header, but you do not have to worry about that. Postman will append the “Bearer” before the token in the desired format in the request Authorization header.


Format: Bearer <Token value>

Basic auth Method

If you want to authorize your request using the Basic Auth method, you have to send a verified username and password along with your request. In the request Headers, the format in which the Authorization header passes your username and password values appended to the string “Basic” is as follows:


Basic <Base64 encoded Username and password>


Steps to provide authorization with the Bearer token Method are as follows.


  1. Select the Basic Auth option from the list in the request Authorization tab
  2. Enter your Username in the dialogue box in front of “Username.”
  3. Enter your Password value in the dialogue box in front of “Password.”


If you want extra security, then there is an option of storing these values in variables.



Digest auth Method

This method of authorization is a little more complex than the methods mentioned above. In this method, the server sends some details when a client sends the first request to the API. During this time, the server generates an encrypted string using this passed data and stores it for future purposes. This data contains a “nonce” field ( a number that you can use only one time), other few details, and a 401 unauthorized response.


After receiving these details from the server, send an array of data(encrypted), which also contains username and password and the data that the server sent you in the first place.


When you send the second request, the server matches the stored encrypted string with the data you sent in your request and decides whether to authenticate you.


Select Digest Auth from the dropdown list in the Authorization section of a request to use this method.



Although some advanced fields are optional, they get populated by the postman automatically when your request runs. These fields are as follows:

       Fields                                               Definition
OpaqueA string of data in the WWW-Authenticate response header, specified by the server. This string should be used unchanged with URIs in the same protection space.
Client NonceThis is the string value provided by the client. Both client and server use this value to avoid chosen plaintext attacks, provide mutual authentication, and provide message integrity protection.

This option contains a  string that tells a pair of algorithms used to generate the digest and a checksum. The algorithms supported by Postman are  MD5 and SHA.


RealmThe server specifies a string that is present in the WWW-Authenticate response header.
NonceThe server specifies a unique string that is present in the WWW-Authenticate response header.
qopIt tells us the quality of protection that is applied to the message. The value must be one of the alternatives specified by the server in the WWW-Authenticate response header.
Nonce CountThe hexadecimal count of the number of requests the client has sent with the nonce value in this request.


OAuth 1.0 Method

In this method, we take the help of a third-party API for our authentication purposes. As we know, as a user of a service, you have the right to share your data with another application. This method follows the same procedure. During this procedure, requests are exchanged between the service provider, user, and client application.


OAuth 1.0  is further divided into two following types:

  • Two-legged: When only the client and server take part in the authentication process.
  • Three-legged: When a client requests a third party API for user data access.


Let’s look at an example for a better understanding of OAuth 1.0

  1. At first, clients request a token using their credentials to access user data with a third-party API.
  2. A token is provided to the client application by the service provider, but that doesn’t give access to user data. Then the client application requests authorization from the user.
  3. When the user grants auth to the client, the client requests to exchange its temporary token for the access token.
  4. The access token is then given to the client by the service provider, and this allows the client to access the user’s data by making requests to the service provider.



Now let’s take a look at OAuth 1.0 parameters.


      Parameter                                        Definition
Consumer Key

This key identifies the consumer and the service provider.


Consumer SecretThe client uses this value to establish ownership of the key. 
Signature MethodThe method used by your API  to validate requests.
Token SecretThe client uses this value to establish ownership of the token. 
Access TokenThis value represents the client’s permission to access the user’s data.
Private KeyThis key generates the auth signature. (For RSA signing methods).
VerifierThe service provider provides the Verification code after user auth.
NonceThe client generates this string, and it is entirely random.
Time StampThe server uses this timestamp to ensure that no replay attacks are performed outside the time window.
VersionThe version of the OAuth protocol (1.0).
RealmThe server specifies a string that is present in the WWW-Authenticate response header.



OAuth 2.0 Method

In OAuth 2.0, your first step is to get an access token for the API. Then with the help of that token, you will authenticate all of your future requests.


The procedure to use OAuth 2.0 is given below:

  1. The client makes the first request to users to authorize access to their data.
  2. If the user’s access is granted, the client asks for an access token from the service provider. In this request, the client passes the access grant from the user and other authentication details so that the service provider identifies the client.
  3. Then the service provider returns an access token after validating these details.
  4. Then the client requests to access the user data using this token through the service provider.

Now let’s look at the configuration options tab for OAuth 2.0


      Options                                   Definition
Token NameName assigned to the token by the user.
StateThis option is an opaque value that is used to prevent cross-site request forgery.
Auth URL

A URL represents the endpoint for the API provider authorization server from where we can retrieve the auth code.


Access Token URLThis is used to exchange an authorization code for an access token from the provider's authentication server.
Grant Type

This represents a dropdown list of options that will depend on the API service provider requirements.


ScopeThe scope of access which you are requesting may include multiple space-separated values.
Client IDThe registered ID of your client with the API provider.
Client Secret

The client secret is given to you by the API provider.


Audience:A URI that tells you about the service where we can use the token.
Resource:A URI that tells you about the help where we can use the token.


Frequently Asked Questions

What is Postman, and why use it.

Postman is a platform used for API development. By using Postman, you can send HTTP requests and get proper responses corresponding to that request. You can test, debug, run your API by using Postman. Using Postman, we can ensure that our API is up and running and give the desired response for a particular request.

What is the different software used for API testing?

There is a variety of software for API testing. Some famous ones are Postman, SoapUi, Apigee, and Jmeter.

How to access a Postman variable?

If you want to access a Postman variable, then enter the variable name as {{var}}.

What will be the preference order if you have two variables with the same name in Postman?

The local variable will get more preference over the global variable, and the local variable will overwrite the global variable.

What is the encoding in which Postman accepts authorization credentials?

All the credentials are accepted in base64 encoding in Postman. This is the inbuilt functionality of the Postman.



This blog contains various ways of doing authentication in Postman. It also includes the parameters and things included in the authentication part. 


If you want to become a great web developer and are very serious about your goal, check out this excellent web development beginner-friendly course. Also, if you want to prepare for your interviews and excel in them, visit this javascript interview question blog.


Happy Reading!


Was this article helpful ?


No comments yet

Be the first to share what you think