Postman requires an OpenID Connect (OIDC) OAuth 2.0 application in Okta before it can send authenticated Application Programming Interface (API) calls to an Okta tenant. Creating that application is a required prerequisite. Once the application exists, Postman is configured with the application credentials and the Authorization Code with Proof Key for Code Exchange (PKCE) grant flow to obtain access tokens and make API requests.

NOTE: Postman is a third-party tool. Okta is not responsible for changes to Postman, and Okta Support cannot troubleshoot issues with it.

• Okta Classic Engine
• Okta Identity Engine (OIE)
• Application Programming Interface (API)
• Postman

How is Postman configured to send API calls to an Okta tenant?

Prerequisites — Required Before Configuring Postman

Before configuring Postman, a custom OIDC OAuth 2.0 application must be created in Okta. This application provides the credentials and scopes that Postman uses to request access tokens. Complete the following prerequisite steps before proceeding:

1. Sign in to the Okta Admin Console as a Super Administrator.
2. Follow the steps in Create an OAuth 2.0 app in Okta to configure a custom OIDC web application. When creating the application, add https://oauth.pstmn.io/v1/callback as a Sign-in redirect URI. Postman includes this URI in its requests for tokens.
3. Confirm that the scopes configured under the Okta API Scopes tab of the OIDC application are sufficient to perform the required actions. See OAuth 2.0 Scopes for details.
4. Confirm that the application is assigned to the user who will request tokens.

NOTE: Completing the prerequisite steps above is required. Postman configuration will fail without a valid OIDC OAuth 2.0 application in Okta.

Set Up the Postman Workspace and Fork a Collection

The following steps create a new Postman workspace and fork an Okta API collection for testing.

1. Open Postman and create a new workspace using the default settings.
2. Navigate to the Okta Postman Collections reference page to fork a collection for testing.
3. Complete the following steps to fork a collection:
   1. Select the Collections icon from the Okta Public API Collections left-hand navigation panel.
   2. Select the collection to fork, open the More Options menu, and choose Fork.

1. 3. Enter a name and workspace for the forked collection.
   4. Select Fork Collection.

Finishing the Postman and Okta Integration

The following steps import the Okta environment into Postman and configure the required credentials.

1. In Postman, select the Workspaces tab and choose the newly created workspace.
2. In the upper-left corner, select Import.
3. In the Import dialog box, paste the following URL into the Paste URL field:
   • https://developer.okta.com/docs/api/postman/example.oktapreview.com.environment
4. After the URL is pasted, Postman automatically creates the environment.
5. In the upper-right corner, select the environment dropdown menu and choose ${theOktaDomain} from the list. If Postman was just installed, the initial value displays as No Environment.
6. In the upper-right corner, next to ${theOktaDomain}, select the environment quick look button.
7. In the upper-right corner of the ${theOktaDomain} dialog box, select Edit.
8. In the Manage Environments tab, update the following attributes:

• • Enter a name for the environment.
  • Update the url variable to contain the Okta org URL in both the Initial value and Current value fields (for example, https://<OrgName>.okta.com).
  • Remove the apikey variable.
  • Create the following variables and populate both the Initial value and Current value fields with the corresponding information:
    • CLIENT_ID — Client ID of the custom OIDC application
    • CLIENT_SECRET — Client Secret of the custom OIDC application
    • AUTH_URL — https://<subdomain>.okta.com/oauth2/v1/authorize
    • TOKEN_URL — https://<subdomain>.okta.com/oauth2/v1/token

9. Select Save in the upper-right corner.

Get an Access Token and Make a Request

Okta recommends the use of the Authorization Code with PKCE grant flow. See Implement the Authorization Code with PKCE flow for details on this grant type.

Follow these steps to configure the authorization settings in Postman and retrieve an access token.

1. Select a request — for example, a GET request to the /api/v1/users endpoint — to retrieve a list of all users.
2. On the Headers tab, remove the Authorization parameter if it exists.
3. Select the Authorization tab, and from the Type dropdown menu, choose OAuth 2.0.
4. In the right pane, scroll down to the Configure New Token section.
5. In the first field, enter a name for the token and select Authorization Code (With PKCE) as the grant type.
6. Define the remaining fields for the token request using the following values:

• • Callback URL: Enter the redirect URI configured in the custom OIDC application in Okta (for example, https://oauth.pstmn.io/v1/callback). Okta returns the token to this location after the user finishes authenticating. This URL must match a redirect URI configured in the custom OIDC application.
  • Auth URL:{{AUTH_URL}}
  • Access Token URL:{{TOKEN_URL}}
  • Client ID:{{CLIENT_ID}}
  • Client Secret:{{CLIENT_SECRET}}
  • Code Challenge Method: Leave the default SHA-256 selected.
  • Code Verifier: Leave this field empty so that Postman generates its own.
  • Scope: Enter the scopes that allow the required actions on the target endpoint. Separate multiple scopes with spaces. The requested scopes must exist in the application's grants collection, and the user must have permission to perform those actions.
  • State: Enter any alphanumeric value. The authorization server reflects this string when redirecting the browser back to the client.
  • Client Authentication: Set to Send client credentials in body.

7. Select Get New Access Token. A prompt to sign in to the Okta org opens. Sign in as a user assigned to the OIDC application integration.
   • After authentication, the access token and requested scopes appear in the Manage Access Tokens window. The token also appears in the Current Token dropdown menu.

NOTE: The lifetime for this token is fixed at one hour.

8. Select Use Token at the top of the window to apply this access token to the request.
9. Select Send.

• • Postman displays the results of the request in the result pane.

Related References

• Test the Okta REST APIs using Postman
• Why You Should Migrate to OAuth 2.0 From Static API Tokens
• Implement OAuth for Okta
• Import a Postman Collection
• OAuth 2.0 Scopes
• Implement the Authorization Code with PKCE flow
• Okta API Error Codes and Descriptions