Sending JWT token in the headers with Postman

Question

I'm testing an implementation of JWT Token based security based off the following article. I have successfully received a token from the test server. I can't figure out how to have the Chrome POSTMAN REST Client program send the token in the header.

postman screenshot

My questions are as follows:

1) Am I using the right header name and/or POSTMAN interface?

2) Do I need to base 64 encode the token? I thought I could just send the token back.

@MLondei, it depends on the way the receiving server is configured. It can come back as a URL (find it in the URL string) or it can come back in the response body (find it in the response's body field). Those are the two major ones I'm aware of. — Diode Dan, Mar 18 '19 at 00:07
linkrot. new link: https://auth0.com/docs/design/web-apps-vs-web-apis-cookies-vs-tokens — nilon, Dec 20 '19 at 17:25

Mick Cullen · Accepted Answer · 2014-07-12T07:43:29.687

325

For the request Header name just use Authorization. Place Bearer before the Token. I just tried it out and it works for me.

Authorization: Bearer TOKEN_STRING

Each part of the JWT is a base64url encoded value.

edited Jul 12 '14 at 07:43

answered Jul 12 '14 at 07:23

Mick Cullen

9,214
3
21
17

67

Just as a clarification, the "Header" field becomes Authorization and the "Value" field becomes Bearer[WHITESPACE] – Diode Dan Jul 12 '14 at 21:34
Do you know what part of the field is encrypted? It appears that the data right after the last '.' separator is giving me what looks like garbage characters. I assume this is actually information encrypted by the Token generator? – Diode Dan Jul 13 '14 at 17:55
5

Check out http://jwt.io/ .There is a section where you can paste a JWT and view its decoded contents, its the best way of seeing whats happening. The server secret string is used to make the last section of the token. JWT only signs the payload does not encrypt i.e. you can decode part 1 & 2 of the string but cannot validate it without the secret. http://self-issued.info/docs/draft-ietf-oauth-json-web-token.html – Mick Cullen Jul 14 '14 at 10:27
EXAMPLE. JWT secret = 'This is the secret hush hush!' , Client (sends credentials via http):username and password, Server sends token in http response header: {"token":" eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9. eyJ1c2VyX2lkIjoiNTNjM2E2ZGIxMmFiZmE4MDBjNTRhNDQ2IiwidXNlcm5hbWUiOiJhZG1pbiIsImFkbWluIjp0cnVlLCJjcmVhdGVkIjoiMjAxNC0wNy0xNFQwOTo0NjowMy45NTZaIiwiZW1haWwiOiJtaWNrQDEyMy5pZSIsImlhdCI6MTQwNTMzMTIwNywiZXhwIjoxNDA1MzM0ODA3fQ. LfE_1suABLnAY8IGWd_sOWw1ONVf7KbKGrnJlGbaTsQ"} – Mick Cullen Jul 14 '14 at 10:47
4

Can someone please elaborate on why we need to put Bearer before the JWT? Is this some kind of signal to the server that this is a JWT? – user137717 Aug 28 '15 at 05:41
3

That is just the convention - you can find all details here: https://jwt.io/introduction/ – Michael Noyb Feb 16 '16 at 11:01
hmm I'm doing this, but I get a `403 Forbidden` in my .net core api – J86 Aug 14 '17 at 09:11
why should i use `Bearer`,is it mandatory to use that name,can i use `ABC` – mirsahib Jan 18 '21 at 07:38

score 150 · Answer 2 · edited Apr 24 '18 at 11:31

150

Here is an image if it helps :)

Postman

Update:

The postman team added "Bearer token" to the "authorization tab":

edited Apr 24 '18 at 11:31

Mike Bovenlander

5,236
5
28
47

answered Nov 28 '14 at 05:15

prasanthv

2,442
2
21
17

How can I make it outfill the value with the latest JWT token? – Black Apr 19 '22 at 14:37

Pablo Palacios · Answer 3 · 2017-01-05T02:31:45.237

43

I am adding to this question a little interesting tip that may help you guys testing JWT Apis.

Its is very simple actually.

When you log in, in your Api (login endpoint), you will immediately receive your token, and as @mick-cullen said you will have to use the JWT on your header as:

Authorization: Bearer TOKEN_STRING

Now if you like to automate or just make your life easier, your tests you can save the token as a global that you can call on all other endpoints as:

Authorization: Bearer {{jwt_token}}

On Postman: Then make a Global variable in postman as jwt_token = TOKEN_STRING.

On your login endpoint: To make it useful, add on the beginning of the Tests Tab add:

var data = JSON.parse(responseBody);
postman.clearGlobalVariable("jwt_token");
postman.setGlobalVariable("jwt_token", data.jwt_token);

I am guessing that your api is returning the token as a json on the response as: {"jwt_token":"TOKEN_STRING"}, there may be some sort of variation.

On the first line you add the response to the data varibale. Clean your Global And assign the value.

So now you have your token on the global variable, what makes easy to use Authorization: Bearer {{jwt_token}} on all your endpoints.

Hope this tip helps.

EDIT
Something to read

About tests on Postman: testing examples

Command Line: Newman

CI: integrating with Jenkins

Nice blog post: master api test automation

edited Jan 05 '17 at 02:31

answered Jan 02 '17 at 15:31

Pablo Palacios

2,767
20
37

Interesting, I'm unfamiliar with the concept of the `Test` tab and Postman coding. Is there a resource you recommend to get started with this? – Diode Dan Jan 03 '17 at 20:40
Yup, there are some that I found useful: * https://www.getpostman.com/docs/testing_examples * http://blog.testproject.io/2016/06/22/master-api-test-automation/ * http://www.sm-cloud.com/testing-api-with-postman/ – Pablo Palacios Jan 04 '17 at 20:03
Actually Postman is really interesting and pretty strong when it comes to automated testing. You can configure postman in such a way that it can build random data Global variables or Environment variables that you can run on the tests. And make iterative runs and test any response as endpoint unit tests. Save them and find errors when you change code. I haven't used the command line utility but I understand that you can configure it to run in your ci-pipeline. – Pablo Palacios Jan 05 '17 at 02:21
Your can read about command line here: https://www.getpostman.com/docs/newman_intro – Pablo Palacios Jan 05 '17 at 02:23

score 12 · Answer 4 · answered Oct 05 '17 at 10:41

12

Here is how to set token this automatically

On your login/auth request

Then for authenticated page

answered Oct 05 '17 at 10:41

Emeka Mbah

16,745
10
77
96

score 10 · Answer 5 · answered Mar 24 '17 at 08:57

10

I had the same issue in Flask and after trying the first 2 solutions which are the same (Authorization: Bearer <token>), and getting this:

{
    "description": "Unsupported authorization type",
    "error": "Invalid JWT header",
    "status_code": 401
}

I managed to finally solve it by using:

Authorization: jwt <token>

Thought it might save some time to people who encounter the same thing.

answered Mar 24 '17 at 08:57

Vucko

7,371
2
27
45

2

I was getting `Authentication credentials were not provided` in `django` using `Bearer `. solved with `jwt `. Thanks for the solution – S_M Nov 21 '17 at 15:03

score 7 · Answer 6 · answered Jan 16 '19 at 16:42

7

If you wish to use postman the right way is to use the headers as such

key: Authorization

value: jwt {token}

as simple as that.

answered Jan 16 '19 at 16:42

Adi

2,074
22
26

score 5 · Answer 7 · edited Oct 31 '18 at 06:02

5

Open postman.
go to "header" field.
there one can see "key value" blanks.
in key type "Authorization".
in value type "Bearer(space)your_access_token_value".

Done!

edited Oct 31 '18 at 06:02

Pierre.Vriens

2,117
75
29
42

answered Oct 31 '18 at 05:12

Dheeraj

332
3
4

score 4 · Answer 8 · answered May 06 '19 at 11:25

4

Everything else ie. Params, Authorization, Body, Pre-request Script, Tests is empty, just open the Headers tab and add as shown in image. Its the same for GET request as well.

answered May 06 '19 at 11:25

coda

2,188
2
22
26

score 3 · Answer 9 · answered Apr 24 '18 at 08:48

For people who are using wordpress plugin Advanced Access Manager to open up the JWT Authentication.

The Header field should put Authentication instead of Authorization

AAM mentioned it inside their documentation,

Note! AAM does not use standard Authorization header as it is skipped by most Apache servers. ...

Hope it helps someone! Thanks for other answers helped me alot too!!

score 1 · Answer 10 · answered Jul 01 '17 at 15:19

I did as how moplin mentioned .But in my case service send the JWT in response headers ,as a value under the key "Authorization".

Authorization →Bearer eyJhbGciOiJIUzUxMiJ9.eyJzdWIiOiJpbWFsIiwiZXhwIjoxNDk4OTIwOTEyfQ.dYEbf4x5TGr_kTtwywKPI2S-xYhsp5RIIBdOa_wl9soqaFkUUKfy73kaMAv_c-6cxTAqBwtskOfr-Gm3QI0gpQ

What I did was ,make a Global variable in postman as

key->jwt
value->blahblah

in login request->Tests Tab, add

postman.clearGlobalVariable("jwt");
postman.setGlobalVariable("jwt", postman.getResponseHeader("Authorization"));

in other requests select the Headers tab and give

key->Authorization

value->{{jwt}}

score 0 · Answer 11 · answered May 01 '17 at 16:58

0

Somehow postman didn't work for me. I had to use a chrome extension called RESTED which did work.

answered May 01 '17 at 16:58

RamanSM

275
3
13

Abhi · Answer 12 · 2020-02-26T04:23:40.450

0

In Postman latest version(7++) may be there is no Bearer field in Authorization So go to Header tab

select key as Authorization and in value write JWT

edited Feb 26 '20 at 04:23

answered Feb 25 '20 at 11:13

Abhi

1,127
1
12
25

For v7.19.0+ and it's also been there for a while, there's a `Bearer Token` helper in the `Authorization` tab, adding the token value here (Hardcoded or as a dynamic variable) will create the same `Authorization` header for the request. – Danny Dainton Feb 25 '20 at 11:53

score 0 · Answer 13 · edited Dec 18 '22 at 01:37

0

x-access-token on headers works for me.

key: x-access-token
value: token

edited Dec 18 '22 at 01:37

4b0

21,981
30
95
142

answered Dec 18 '22 at 01:35

ohmcodes

69
5

Sending JWT token in the headers with Postman

13 Answers13

Linked