Postmantesting~15 mins

Token management in variables in Postman - Build an Automation Script

Choose your learning style9 modes available

Learn Why Deep Trace Try Challenge Automate Recall Frame

Manage authentication token using Postman variables

Preconditions (2)

Step 1: Send a POST request to the login API with valid username and password in the request body

Step 2: Verify the response status code is 200

Step 3: Extract the token value from the JSON response body

Step 4: Save the extracted token into a Postman environment variable named 'authToken'

Step 5: Send a GET request to a protected API endpoint using the 'authToken' variable in the Authorization header as 'Bearer {{authToken}}'

Step 6: Verify the response status code is 200 and the response body contains expected protected data

✅ Expected Result: The token is correctly saved in the environment variable and used in the Authorization header to access protected API successfully

Automation Requirements - Postman Tests (JavaScript)

Assertions Needed:

Response status code is 200 after login

Token is extracted and saved in environment variable

Protected API request returns status code 200

Protected API response contains expected data

Best Practices:

Use pm.environment.set() to save variables

Use pm.response.json() to parse JSON response

Use pm.test() for assertions

Use environment variables in request headers with {{variableName}} syntax

Keep tests clear and modular

Automated Solution

Postman

/* Login Request Tests */
pm.test('Login status code is 200', () => {
    pm.response.to.have.status(200);
});

const jsonData = pm.response.json();
pm.test('Token is present in response', () => {
    pm.expect(jsonData.token).to.exist;
});

pm.environment.set('authToken', jsonData.token);

/* Protected API Request Tests */
pm.test('Protected API status code is 200', () => {
    pm.response.to.have.status(200);
});

pm.test('Protected API response contains expected data', () => {
    const data = pm.response.json();
    pm.expect(data).to.have.property('protectedData');
    pm.expect(data.protectedData).to.be.a('string').that.is.not.empty;
});

This script is split into two parts for two requests in Postman.

For the login request, it checks the status code is 200, then parses the JSON response to get the token. It asserts the token exists, then saves it to an environment variable authToken using pm.environment.set().

For the protected API request, it uses the saved authToken in the Authorization header as Bearer {{authToken}}. The tests verify the status code is 200 and the response contains the expected protected data property.

This approach ensures the token is dynamically managed and reused securely between requests.

Common Mistakes - 4 Pitfalls

Hardcoding the token value instead of saving it dynamically

Not checking the login response status before extracting token

Using global variables instead of environment variables

{'mistake': 'Not using the token variable in the Authorization header properly', 'why_bad': "If the header is not set with the variable syntax, the token won't be sent correctly", 'correct_approach': "Use the syntax 'Bearer {{authToken}}' in the Authorization header to inject the token"}

Bonus Challenge

Now add data-driven testing with 3 different user credentials to login and verify token management

Show Hint