How to set up Postman API platform as an OAuth client

Postman illustration
Looking for Postman, the WordPress mailer with OAuth support?

This article is about using Postman, the API testing tool, to connect to OAuth-secured services. To find information on how to use Postman SMTP the WordPress mailer click here: Post SMTP Mailer (aka Postman SMTP).


OAuth and its benefits

OAuth (Open Authorization) is an open standard for token-based authentication and authorization, which allows secure access to resources without sharing user credentials such as username and password. With OAuth, users can grant applications or services permission to access their data hosted by a third-party provider. The main benefits of OAuth are:

  1. Security: By using token-based authentication, OAuth reduces the risk of exposing sensitive user credentials. The tokens can be limited in scope and duration, ensuring access is restricted to only the necessary resources and for a specific period.
  2. User Experience: OAuth enables users to grant access to their data without the need to create new accounts or share their credentials with third-party applications, streamlining the authorization process.
  3. Scalability: OAuth makes it easier for developers to integrate their applications with multiple services, as the same standard is used across various platforms and APIs.

Postman and its capabilities

Postman is a popular API development and testing tool that simplifies the process of building, testing, and managing APIs. With Postman, developers can create and manage API requests, analyze responses, and automate testing workflows. Postman’s key capabilities include:

  1. API Request Builder: Postman allows users to easily create and customize API requests, supporting various HTTP methods, authentication protocols, and request headers.
  2. Response Analysis: Postman provides a user-friendly interface to analyze API responses, allowing users to view, filter, and export response data.
  3. Collections and Environments: Users can organize their API requests into collections and manage variables using environments, making it easy to switch between different API versions, stages, or configurations.
  4. Automated Testing: Postman offers a built-in testing framework, enabling users to write, run, and manage test scripts to ensure the reliability and performance of their APIs.
  5. Collaboration: Postman provides features for team collaboration, such as sharing collections and environments, as well as real-time collaboration on API requests and responses.
  6. Integration: Postman can be easily integrated with other tools and platforms, supporting CI/CD pipelines, version control systems, and API documentation generation.

Understanding OAuth 2.0

What is OAuth 2.0?

OAuth 2.0 is the second version of the OAuth protocol, which provides a secure and standardized method for applications to obtain delegated access to resources on behalf of a user. It is a token-based authorization framework that enables clients to access protected resources from a resource server, without the need to share the user’s credentials with the client. For a detailed explanation and visual overview, you can watch the YouTube video titled “OAuth 2.0: An Overview” by InterSystems Learning Services:

Key components in OAuth 2.0

OAuth 2.0 consists of four main components:

1. Client

The client is the application or service that wants to access a user’s protected resources on a resource server. The client must be registered with the authorization server to obtain the necessary credentials (client ID and client secret) to request access tokens.

2. Authorization server

The authorization server is responsible for authenticating the resource owner (user), obtaining their consent, and issuing access tokens to the client. It also validates client credentials and manages the lifecycle of access tokens.

3. Resource server

The resource server hosts the protected resources that the client wants to access on behalf of the user. It verifies the access token provided by the client and serves the requested resources if the token is valid.

4. Resource owner

The resource owner is the user who owns the protected resources and can grant permission to the client to access their data on the resource server.

Common OAuth 2.0 grant types

OAuth 2.0 defines several grant types, which are different methods for a client to obtain an access token. The choice of grant type depends on the specific use case and security requirements. The four most common grant types are:

1. Authorization Code Grant

The Authorization Code Grant is the most commonly used and secure grant type, suitable for server-side applications. It involves a two-step process, where the client first obtains an authorization code and then exchanges it for an access token. This grant type requires user interaction to provide consent for the client to access their resources.

2. Implicit Grant

The Implicit Grant is designed for client-side applications, such as single-page apps or mobile apps, where the client cannot securely store the client secret. It is a simplified version of the Authorization Code Grant, where the access token is returned directly in the response without the need for an authorization code. This grant type is less secure and has been largely replaced by the more secure PKCE (Proof Key for Code Exchange) extension.

3. Resource Owner Password Credentials Grant

The Resource Owner Password Credentials Grant is suitable for trusted applications where the user is comfortable sharing their credentials with the client. The client directly sends the user’s credentials to the authorization server to obtain an access token. This grant type is less secure and recommended only for specific use cases with a high level of trust between the client and the user.

4. Client Credentials Grant

The Client Credentials Grant is used for server-to-server communication, where the client needs to access resources that do not belong to a specific user. In this grant type, the client directly requests an access token from the authorization server using its client ID and client secret.

Prerequisites for Setting Up Postman as an OAuth Client

Installing Postman

Before setting up Postman as an OAuth client, you need to install Postman on your computer. Follow these steps to install Postman:

  1. Visit the Postman website.
  2. Download the appropriate version of Postman for your operating system (Windows, macOS, or Linux).
  3. Install Postman by following the installation instructions provided for your specific operating system.

Having access to an API with OAuth 2.0 enabled

To set up Postman as an OAuth client, you need access to an API that has OAuth 2.0 authentication enabled. This API should support one or more of the OAuth 2.0 grant types. You may use an API provided by a third-party service, or you may create your own API with OAuth 2.0 enabled.

Obtaining necessary OAuth credentials

To authenticate with an OAuth 2.0 enabled API using Postman, you need to obtain the following OAuth credentials from the authorization server:

1. Client ID

The client ID is a unique identifier for your application, which is issued by the authorization server when you register your application. It is used to identify your application during the OAuth 2.0 authorization process.

2. Client secret

The client secret is a confidential value that is used in combination with the client ID to authenticate your application with the authorization server. It should be kept secure and not exposed to public resources. Note that the client secret is not used in the Implicit Grant or other grant types that do not support secure storage of client secrets.

3. Authorization URL

The authorization URL is the endpoint on the authorization server where the user is redirected to authenticate and provide consent for your application to access their resources. The authorization URL is used in grant types that require user interaction, such as the Authorization Code Grant and Implicit Grant.

4. Token URL

The token URL is the endpoint on the authorization server where your application sends a request to obtain an access token. The token URL is used in grant types that involve direct communication between the client and the authorization server, such as the Authorization Code Grant, Resource Owner Password Credentials Grant, and Client Credentials Grant.

Setting Up Postman as an OAuth Client

In this section, we will walk you through setting up Postman as an OAuth client. If you prefer a visual guide, you can follow along with the following helpful YouTube video by Graph Explorer, which demonstrates how to set up SMTP Modern OAuth Authentication with Postman.

Youtube video by Graph Explorer: SMTP Modern oauth Authentication with POSTMAN

Creating a new request in Postman

To set up Postman as an OAuth client, start by creating a new API request:

  1. Open Postman.
  2. Click on the “+” button or “Create New” button to create a new request.
  3. Select the appropriate HTTP method (GET, POST, PUT, etc.) for your API request.
  4. Enter the API endpoint URL in the address bar.

Configuring OAuth 2.0 authorization in Postman

Follow these steps to configure OAuth 2.0 authorization for your API request in Postman:

1. Selecting OAuth 2.0 as the authorization type

In the “Authorization” tab of your API request, select “OAuth 2.0” from the “Type” dropdown menu.

2. Inputting OAuth 2.0 credentials

Enter the OAuth 2.0 credentials you obtained earlier into the corresponding fields:

  • Client ID: Enter the client ID issued by the authorization server.
  • Client Secret: Enter the client secret (if applicable) issued by the authorization server.
  • Authorization URL: Enter the authorization URL of the authorization server.
  • Token URL: Enter the token URL of the authorization server.

3. Choosing the appropriate grant type

Select the appropriate OAuth 2.0 grant type for your use case from the “Grant Type” dropdown menu (e.g., Authorization Code, Implicit, Password Credentials, or Client Credentials).

4. Configuring additional parameters (optional)

Depending on your API and OAuth 2.0 configuration, you may need to add additional parameters, such as “Scope” or “State.” Configure these additional parameters as required by your specific API.

Requesting an access token

To request an access token from the authorization server, follow these steps:

1. Sending the authorization request

Click the “Get New Access Token” button in the “Authorization” tab. This will initiate the OAuth 2.0 authorization process.

2. Providing user consent (if applicable)

For grant types that require user interaction (e.g., Authorization Code Grant), a new window will open, prompting the user to authenticate and provide consent for your application to access their resources. Complete the authentication and consent process as required.

3. Receiving the access token

Once the authorization process is complete, Postman will receive an access token from the authorization server. The access token will be displayed in the “Access Token” field of the “Authorization” tab.

Making an API request with the access token

With the access token obtained, you can now make an API request:

1. Including the access token in the request header

In the “Authorization” tab, click the “Use Token” button. This will automatically include the access token in the “Authorization” header of your API request as a Bearer token.

2. Sending the API request

Click the “Send” button to send the API request with the access token included in the request header.

3. Analyzing the API response

Once the API request is sent, Postman will display the API response in the “Response” section. Review the response to ensure that the OAuth 2.0 authorization was successful and the requested data was returned.

Troubleshooting Common Issues

When working with OAuth 2.0 in Postman, you may encounter some common issues. Here are some tips for troubleshooting these problems:

Invalid client credentials

If you receive an error related to invalid client credentials, ensure that you have entered the correct client ID and client secret (if applicable) in the “Authorization” tab of your API request. Double-check your credentials with the authorization server and make sure they are still valid and have not been revoked or changed.

Incorrect grant type

Using the wrong grant type for your specific use case can result in authentication failures. Verify that you have selected the correct grant type in the “Authorization” tab of your API request. If you are unsure which grant type to use, consult your API documentation or contact the API provider for guidance.

Expired access token

Access tokens usually have an expiration time, after which they are no longer valid for accessing protected resources. If you encounter an error related to an expired access token, request a new access token using the “Get New Access Token” button in the “Authorization” tab. If your API supports refresh tokens, configure Postman to use the refresh token to automatically request a new access token when the current one expires.

Insufficient scope

Each access token may have a specific scope, which defines the extent of the permissions granted to the client. If you receive an error related to insufficient scope, it means that the access token does not have the necessary permissions to access the requested resources. To resolve this issue, update your OAuth 2.0 configuration in Postman to request the appropriate scope, and then obtain a new access token with the updated scope. Consult your API documentation to determine the required scope for your use case.

Tips for Managing OAuth Tokens in Postman

When working with OAuth tokens in Postman, the following tips can help you manage and organize your tokens more efficiently:

Storing tokens in environment variables

To avoid manually updating access tokens for multiple API requests, consider storing your access tokens in environment variables. This allows you to update the token in one place and have it automatically applied to all requests that reference the variable. To store a token in an environment variable:

  1. Create a new environment or select an existing one in Postman.
  2. Add a new variable with a descriptive name (e.g., access_token) and set its value to your access token.
  3. In your API requests, reference the environment variable in the “Authorization” header by using the double curly braces syntax: {{access_token}}.

Automating token refresh

If your API supports refresh tokens, you can automate the process of refreshing access tokens in Postman using pre-request scripts. To automate token refresh:

  1. In your API request, go to the “Pre-request Script” tab.
  2. Write a script to check if the access token is expired, and if so, use the refresh token to request a new access token from the authorization server.
  3. Store the new access token in an environment variable, as described in the previous tip.
  4. Make sure your API requests reference the environment variable for the access token.

This automation ensures that your access token is always valid before sending an API request, eliminating the need to manually refresh tokens.

Organizing OAuth-enabled requests in collections

Using collections in Postman can help you organize and manage your OAuth-enabled API requests more efficiently. To organize your requests in collections:

  1. Create a new collection or select an existing one in Postman.
  2. Add your OAuth-enabled API requests to the collection.
  3. Configure the collection’s authorization settings to use OAuth 2.0, and input your OAuth 2.0 credentials, grant type, and any additional parameters required for your API.
  4. In the collection’s settings, enable “Inherit auth from parent” for all API requests within the collection.

By organizing your OAuth-enabled requests in collections and configuring the collection-level authorization settings, you can apply and manage OAuth settings for multiple requests in one place, making it easier to update and maintain your OAuth configuration.


Setting up Postman as an OAuth client is an effective way to test and manage API requests that require OAuth 2.0 authentication. By understanding the key components of OAuth 2.0, ensuring you have the necessary prerequisites, and following the outlined steps to configure OAuth 2.0 authorization, request access tokens, and make API requests, you can streamline your API testing process.

Leave a Reply

Your email address will not be published. Required fields are marked *