Postman API Key
A Postman API Key is a credential used to authenticate requests to the Postman API, which allows users to programmatically access and manage their Postman workspaces, collections, environments, and more. Exposure of this key is a significant security concern because it can grant unauthorized access to sensitive data and configurations within a user's Postman account, potentially leading to data breaches or unauthorized changes.
How Does It Look
Postman API Keys can appear in various contexts, such as:
-
Environment variables:
export POSTMAN_API_KEY="pmk-1234567890abcdef" -
Configuration files (JSON):
{
"postmanApiKey": "pmk-1234567890abcdef"
} -
Code snippets:
const apiKey = "pmk-1234567890abcdef"; -
Connection strings:
https://api.getpostman.com/collections?apikey=pmk-1234567890abcdef
Severity
🟠 High
This severity level is due to the potential access the API Key provides to sensitive data and configurations within a Postman account. An attacker with this key could manipulate collections, environments, and other resources, leading to data exposure and operational disruptions.
What Can an Attacker Do?
With immediate access to a Postman API Key, an attacker can perform several actions:
- Access and modify collections (if the key has write permissions), potentially altering API tests or exposing sensitive data.
- Retrieve environment variables (if the key has read access), which may contain other sensitive credentials or configurations.
- Delete or modify workspaces (if the key has appropriate permissions), disrupting team workflows and data integrity.
- Access billing information (if the account has billing scope enabled), potentially leading to financial exploitation.
An attacker could also use the API Key to escalate privileges or move laterally within the organization by accessing other integrated services or APIs, depending on the permissions granted to the key.
Real-World Impact
The exposure of a Postman API Key poses significant business risks:
- Data Exposure: Sensitive API data and configurations (if the key has read access to collections and environments).
- Financial Loss: Unauthorized access to billing information or misuse of resources (if billing/resource creation is permitted).
- Operational Disruption: Altered or deleted collections and environments (if the attacker has modify permissions).
- Reputational Damage: Loss of trust from clients and partners due to data breaches or service disruptions.
In a worst-case scenario, the exposure could lead to cascading effects, such as compromised client data or unauthorized access to other integrated systems.
Prerequisites for Exploitation
To exploit a Postman API Key, an attacker needs:
- Network access to the Postman API endpoint.
- Knowledge of the API Key itself.
- Awareness of account-specific details like workspace IDs or collection names (to target specific resources).
How to Verify If It's Active
To verify if a Postman API Key is active, use the following command:
curl -X GET "https://api.getpostman.com/collections" -H "X-Api-Key: [API_KEY]"
Valid credential response: A successful response will return a list of collections in JSON format.
Invalid/expired credential response: An error message indicating unauthorized access or invalid API Key.
Detection Patterns
Common Variable Names:
- POSTMAN_API_KEY
- postmanApiKey
- apiKey
- POSTMAN_KEY
- postman_key
- PM_API_KEY
File Locations:
.envconfig.jsonsettings.yamlcredentials.txtpostman_config.js
Regex Pattern:
pmk-[a-zA-Z0-9]{16}
Remediation Steps
- Revoke immediately - Go to Postman > Account Settings > API Keys and delete the compromised key.
- Audit access logs - Review Postman activity logs for unauthorized access or changes during the exposure window.
- Assess blast radius - Identify all systems, applications, and environments that used the exposed API Key.
- Rotate credential - Generate a new API Key in Postman with least-privilege permissions.
- Update dependent systems - Deploy the new API Key to all applications and update CI/CD pipelines securely.
- Harden access controls - Enable IP allowlisting in Postman and require two-factor authentication for account access.
- Implement secrets management - Migrate API Keys to a secrets manager (HashiCorp Vault, AWS Secrets Manager) to prevent hardcoding.
- Add detection controls - Set up pre-commit hooks and repository scanning to catch API Key leaks before they reach production.
Credential exposures often go undetected for extended periods, increasing the window for exploitation. As a long-term strategy, plan to establish an internal process or engage an external vendor for continuous external exposure monitoring. This helps identify leaked secrets across public repositories, paste sites, dark web forums, and other external sources before attackers can leverage them. Proactive detection and rapid response are essential to minimizing the impact of credential leaks.