When a request uses the Okta Public API Collections in Postman, the Authorization header may not appear. This occurs because the specific OAuth 2.0 flow omits the header, or Postman injects the header at runtime. Reviewing the Postman configuration and the specific OAuth 2.0 flow requirements clarifies the missing header.

• Okta Management API
• Okta Postman Collections
• Okta Classic Engine
• Okta Identity Engine (OIE)

The specific OAuth 2.0 flow omits the Authorization header, or Postman manages the authorization in the background.

Postman omits the header based on the specific OAuth 2.0 flow or handles it dynamically.

Here are the primary reasons why that header might not be visible in the current Postman view:

• Postman frequently manages authorization in the Auth tab rather than requiring manual entry in the Headers tab.
• If the configuration uses Inherit auth from parent, Postman injects the header at runtime when Postman sends the request. The header does not appear in the static Headers list.
• When a request uses Basic Auth, Postman automatically generates the Authorization: Basic <base64> header behind the scenes.
• Postman often handles authentication via form-urlencoded parameters, such as client_id and client_secret, in the Body tab rather than the Headers tab.
• Secure flows, such as Proof Key for Code Exchange (PKCE) for public clients or Private Key JSON Web Token (JWT), do not use an Authorization header. Instead, PKCE uses a code_verifier in the body, and Private Key JWT uses a client_assertion (a signed JWT) in the body to prove identity.

Related References

• Okta Public API Collections