Postman is a REST client for testing web services/REST APIs. It’s available as a standalone application for Windows, MacOS, and Linux and as chrome extension, it is a must-have tool for developers working with Web API. So if you’re developing a REST API or develop a client app which consumes data from a web service/Microsoft Graph API, you can use it. Also it can help you to troubleshoot issues outside of your custom application and see if there is any issue with the given API call or not. It may also help you to speed up the development.
So i thought to share the following best practices or stuff which you need to consider when you use POSTMAN calling Microsoft Graph API and securely handling the tokens with this great utility too.
- Don’t use production user accounts because this information is stored directly in Postman.
- Don’t use the approach to obtain access tokens in production.
- So use it only for testing purposes.
- If you want to run other APIs in the collection, you will need to consent the required permissions for your application.
- If you don’t want to store user names and passwords in environment variables that sync to your Postman cloud account.
- You can use the Get New Access Token capability to get a token without leaving Postman.
- Getting access token and further calls to Microsoft Graph will require values like the Tenant ID, Client ID, Secret and Token strings.
- Postman can be configured to store these values in variables and reuse them across multiple requests.
- This is a great feature that will save you time.
- You may see above I keep on stressing about the security with bearer token is that, if a bearer token is transmitted in the clear, a malicious party can use a man-in-the-middle attack to acquire the token and use it for unauthorized access to a protected resource.
- The same security principles apply when storing or caching bearer tokens for later use.
- Always ensure that your app (whatever the app you’re using) transmits and stores bearer tokens in a secure manner. For more security considerations on bearer tokens, see RFC 6750 Section 5.
Hope this helps.