Bird
Raised Fist0
Postmantesting~8 mins

Bearer token in Postman - Framework Patterns

Choose your learning style10 modes available
LearnWhyDeepTraceTryChallengeAutomateRecallFrame

Start learning this pattern below

Jump into concepts and practice - no test required

or
Recommended
Test this pattern10 questions across easy, medium, and hard to know if this pattern is strong
Framework Mode - Bearer token
Folder Structure
postman-project/
├── collections/
│   └── api-requests.postman_collection.json
├── environments/
│   ├── dev.postman_environment.json
│   ├── staging.postman_environment.json
│   └── prod.postman_environment.json
├── scripts/
│   ├── pre-request-scripts.js
│   └── test-scripts.js
├── globals.json
└── README.md

This structure organizes API requests, environment configs, and scripts separately for clarity.

Test Framework Layers
  • Collections: Group of API requests, each can use Bearer token for authorization.
  • Environments: Store variables like bearer_token for different stages (dev, staging, prod).
  • Pre-request Scripts: Scripts that run before requests to set or refresh Bearer tokens dynamically.
  • Tests: Scripts that run after requests to validate responses and token usage.
  • Globals: Variables accessible across collections if needed.
Configuration Patterns

Use environment variables to manage Bearer tokens securely and flexibly:

  • Store the token in environment variable bearer_token.
  • In the request Authorization tab, select Bearer Token and use {{bearer_token}} as the token value.
  • Use pre-request scripts to refresh or update the token automatically if expired.
  • Keep sensitive tokens out of collections by using environment files and .gitignore for security.

Example pre-request script snippet to set token:

// Example: Set Bearer token from environment variable
pm.environment.set('bearer_token', 'your_actual_token_here');
Test Reporting and CI/CD Integration
  • Use Newman (Postman CLI) to run collections in CI/CD pipelines.
  • Newman supports exporting test run reports in formats like JSON, HTML, JUnit XML.
  • Integrate Newman runs in CI tools (GitHub Actions, Jenkins, GitLab CI) to automate API tests with Bearer token authentication.
  • Use environment variables or secrets in CI to inject Bearer tokens securely during runs.
  • Reports help track pass/fail status of API tests that require Bearer tokens.
Best Practices
  1. Use environment variables to store Bearer tokens, never hard-code tokens in collections.
  2. Automate token refresh in pre-request scripts to avoid manual updates.
  3. Secure tokens by excluding environment files with tokens from version control.
  4. Use descriptive names for environment variables like bearer_token for clarity.
  5. Validate token usage in test scripts by checking response status codes and error messages.
Self Check

Where in this folder structure would you add a new pre-request script to automatically refresh the Bearer token before API calls?

Key Result
Use environment variables and pre-request scripts in Postman to manage Bearer tokens securely and efficiently.

Practice

(1/5)
1. What is the correct way to include a Bearer token in a Postman request header?
easy
A. Add a query parameter named 'token' with the token value
B. Set the Authorization header to 'Bearer <token>'
C. Include the token in the request body as JSON
D. Set a cookie named 'Bearer' with the token value

Solution

  1. Step 1: Understand Bearer token usage in headers

    Bearer tokens are sent in the Authorization header to prove identity.

  2. Step 2: Identify correct header format

    The header must be 'Authorization: Bearer <token>' exactly.

  3. Final Answer:

    Set the Authorization header to 'Bearer <token>' -> Option B

  4. Quick Check:

    Authorization header = Bearer token [OK]
Hint: Always use Authorization header with 'Bearer ' prefix [OK]
Common Mistakes:
  • Putting token in query parameters instead of header
  • Sending token in request body instead of header
  • Using cookie instead of Authorization header
2. Which of the following is the correct syntax to add a Bearer token in Postman headers?
easy
A. "Auth": "Bearer <token>"
B. "Authorization": "Token <token>"
C. "Authorization": "Bearer <token>"
D. "Authorization": "Basic <token>"

Solution

  1. Step 1: Recall correct header key and value format

    The header key must be 'Authorization' and the value must start with 'Bearer '.

  2. Step 2: Match the exact syntax

    Only "Authorization": "Bearer <token>" uses 'Authorization' and 'Bearer <token>' correctly.

  3. Final Answer:

    "Authorization": "Bearer <token>" -> Option C

  4. Quick Check:

    Authorization = Bearer token syntax [OK]
Hint: Remember header key is 'Authorization' and value starts with 'Bearer ' [OK]
Common Mistakes:
  • Using 'Token' instead of 'Bearer' prefix
  • Using 'Auth' instead of 'Authorization' header
  • Confusing 'Basic' auth with Bearer token
3. Given this Postman test script snippet, what will be the value of the Authorization header sent? 
pm.request.headers.add({key: 'Authorization', value: `Bearer ${pm.environment.get('token')}`});
medium
A. Authorization: Bearer <token_value_from_environment>
B. Authorization: Token <token_value_from_environment>
C. Authorization: Bearer undefined
D. Authorization: Basic <token_value_from_environment>

Solution

  1. Step 1: Understand the code usage of environment variable

    The code uses pm.environment.get('token') to get the token value from environment variables.

  2. Step 2: Analyze the header value construction

    The header value is 'Bearer ' plus the token value from environment, so it will be 'Bearer <token_value_from_environment>'.

  3. Final Answer:

    Authorization: Bearer <token_value_from_environment> -> Option A

  4. Quick Check:

    Header value = 'Bearer ' + environment token [OK]
Hint: Check environment variable usage inside template literals [OK]
Common Mistakes:
  • Assuming token is 'undefined' if environment variable missing
  • Using 'Token' instead of 'Bearer' prefix
  • Confusing Basic auth with Bearer token
4. You added a Bearer token in Postman but the API returns 401 Unauthorized. What is the most likely mistake?
medium
A. The Authorization header is missing the 'Bearer ' prefix
B. The token is placed in the request body instead of headers
C. The Content-Type header is set to 'application/json'
D. The token is expired or invalid

Solution

  1. Step 1: Check common causes of 401 Unauthorized with Bearer tokens

    401 usually means token is missing, malformed, or invalid/expired.

  2. Step 2: Identify the most likely cause given the token is added

    If the token is added correctly but still 401, it is likely expired or invalid.

  3. Final Answer:

    The token is expired or invalid -> Option D

  4. Quick Check:

    401 Unauthorized often means invalid token [OK]
Hint: Check token validity if 401 despite correct header [OK]
Common Mistakes:
  • Forgetting 'Bearer ' prefix in Authorization header
  • Placing token in body instead of header
  • Assuming Content-Type affects authorization
5. You want to automate testing of an API that requires a Bearer token which expires every hour. Which approach is best to handle this in Postman?
hard
A. Use a Pre-request Script to fetch a new token and set it dynamically before each request
B. Manually update the token in environment variables before each test run
C. Hardcode the token in the Authorization header and ignore expiration
D. Remove the Authorization header to avoid token expiration errors

Solution

  1. Step 1: Understand token expiration and automation needs

    Since the token expires hourly, manual updates are inefficient and error-prone.

  2. Step 2: Choose dynamic token fetching in Pre-request Script

    Using a Pre-request Script to get a fresh token before each request automates the process and avoids failures.

  3. Final Answer:

    Use a Pre-request Script to fetch a new token and set it dynamically before each request -> Option A

  4. Quick Check:

    Automate token refresh with Pre-request Script [OK]
Hint: Automate token refresh with Pre-request Script [OK]
Common Mistakes:
  • Manually updating tokens wastes time and causes errors
  • Hardcoding tokens ignores expiration and causes failures
  • Removing Authorization header breaks authentication