How to Use OAuth2 in Postman for API Authentication
To use
OAuth2 in Postman, go to the Authorization tab of your request, select OAuth 2.0 as the type, and configure the required fields like Access Token URL, Client ID, and Client Secret. Then click Get New Access Token to authenticate and use the token for your API requests.Syntax
In Postman, OAuth2 setup requires filling these key fields:
- Grant Type: The OAuth2 flow type (e.g., Authorization Code, Client Credentials).
- Access Token URL: The URL where Postman requests the access token.
- Client ID and Client Secret: Credentials provided by the API provider.
- Scope: Permissions requested from the API.
- Callback URL: The redirect URL registered with the API (used in Authorization Code flow).
After filling these, use Get New Access Token to retrieve and apply the token.
text
Grant Type: Authorization Code Access Token URL: https://example.com/oauth/token Client ID: your_client_id Client Secret: your_client_secret Scope: read write Callback URL: https://oauth.pstmn.io/v1/callback
Example
This example shows how to get an OAuth2 token using the Authorization Code flow in Postman and use it to call a protected API.
text
1. Open Postman and create a new request. 2. Go to the Authorization tab. 3. Select 'OAuth 2.0' as the type. 4. Click 'Get New Access Token'. 5. Fill in the details: - Token Name: MyToken - Grant Type: Authorization Code - Callback URL: https://oauth.pstmn.io/v1/callback - Auth URL: https://example.com/oauth/authorize - Access Token URL: https://example.com/oauth/token - Client ID: your_client_id - Client Secret: your_client_secret - Scope: read write 6. Click 'Request Token' and complete login in the browser popup. 7. Once token is received, click 'Use Token'. 8. Send the API request with the token applied in the Authorization header.
Output
HTTP/1.1 200 OK
Content-Type: application/json
{
"data": "Protected resource data"
}
Common Pitfalls
Common mistakes when using OAuth2 in Postman include:
- Using wrong Callback URL that does not match the one registered with the API.
- Not selecting the correct Grant Type for the API.
- Forgetting to click
Use Tokenafter getting the access token, so the token is not applied to requests. - Expired tokens not refreshed; you must get a new token manually in Postman.
- Incorrect Client ID or Client Secret causing authentication failure.
text
/* Wrong way: Missing Use Token step */ // Token is requested but not applied /* Right way: */ // After getting token, click 'Use Token' to apply it to the request
Quick Reference
| Field | Description | Example |
|---|---|---|
| Grant Type | OAuth2 flow type | Authorization Code |
| Access Token URL | URL to get access token | https://example.com/oauth/token |
| Client ID | App identifier | your_client_id |
| Client Secret | App secret key | your_client_secret |
| Scope | Permissions requested | read write |
| Callback URL | Redirect URL registered | https://oauth.pstmn.io/v1/callback |
Key Takeaways
Always select OAuth 2.0 in Postman's Authorization tab to enable OAuth2 support.
Fill all required fields correctly, especially Callback URL and Grant Type.
Click 'Get New Access Token' and then 'Use Token' to apply the token to your request.
Tokens expire; refresh them manually by repeating the token request process.
Check API documentation for exact OAuth2 details to avoid authentication errors.