Postman’s JWT Bearer Token authentication is a common way to secure APIs, but it’s often misunderstood as just pasting a token into a header.
Let’s see how it actually works in Postman, not with abstract concepts, but with a live, runnable example.
Imagine you have a simple API that issues JWTs upon successful login. Here’s a snippet of what that login endpoint might look like (this is illustrative, not actual code you’d run in Postman):
// POST /auth/login
{
"username": "testuser",
"password": "password123"
}
And the response with a JWT:
// 200 OK
{
"token": "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}
Now, you want to use this token to access a protected resource, say /api/users. The standard way to do this is via the Authorization header, with the Bearer scheme.
In Postman, you’d typically go to the "Authorization" tab for your /api/users request, select "Bearer Token" from the dropdown, and paste the token.
But where does that token come from? It’s rarely static. Most often, you’ll obtain it dynamically after a successful login. This is where Postman’s scripting capabilities shine.
Let’s set up two requests:
-
Login Request:
- Method:
POST - URL:
https://your-api.com/auth/login - Body:
raw->JSON{ "username": "testuser", "password": "password123" } - Tests (inside the Login Request):
// Parse the JSON response const responseJson = JSON.parse(responseBody); // Extract the token const token = responseJson.token; // Save the token to an environment variable for later use // 'MyAPIVars' is the name of your Postman environment pm.environment.set("JWT_TOKEN", token); console.log("JWT Token saved to environment variable: ", token);
- Method:
-
Protected Resource Request:
- Method:
GET - URL:
https://your-api.com/api/users - Authorization Tab:
-
Type:
Bearer Token -
Token:
{{JWT_TOKEN}}(This is a Postman variable)
-
- Method:
When you run the "Login Request" first, the JavaScript in the "Tests" tab executes after the API responds. It parses the response, grabs the token, and crucially, saves it into a Postman environment variable named JWT_TOKEN.
Then, when you run the "Protected Resource Request," Postman automatically substitutes {{JWT_TOKEN}} with the value you saved. The "Authorization" tab in Postman then constructs the Authorization: Bearer <your_saved_token> header for you.
This setup allows you to automate your API testing workflow. You log in, get a fresh token, and then immediately use that token to test your protected endpoints, all within Postman.
The most surprising true thing about this setup is that Postman’s "Bearer Token" authentication type doesn’t actually send the token itself. It’s a helper that prompts you to enter a token, and then Postman’s Authorization header pre-request script (which you rarely see) injects Authorization: Bearer {{JWT_TOKEN}}. If you were to manually add the header Authorization: Bearer {{JWT_TOKEN}} in the "Headers" tab, it would work identically, but the "Authorization" tab is cleaner for this specific scheme.
The next concept you’ll encounter is handling token expiration and refresh tokens, which involves a similar but more complex scripting pattern.