Understanding bearer tokens when using Postman and not using Postman?

Question

I am trying to integrate a third party API. I was provided with a username and password.

When I use Postman to send a post request to the login webpage; the request header contains a postman token:

Postman-Token: vvvvvvvvv-wwwww-xxxx-yyyy-zzzzzzzzzz //this is not the real value

If I supply the postman token to every request after the login request (as shown below) then everything still works as expected:

If I access the api through my webpage, then everything also works as expected. My questions are:

What is the Postman token? I have looked already here: https://stackoverflow.com/questions/36883046/what-is-the-postman-token-header-attribute-in-generated-code-from-postman#:~:text=1%20Answer&text=This%20is%20primarily%20used%20to,random%20token%20avoids%20this%20issue.
What is the alternative to the Postman token when accessing the API though a webpage. I can see no token in the request when looking at it using Fiddler. Were is the bearer token in Fiddler?

PDHide · Accepted Answer · 2020-11-25T11:22:11.060

1

Postman Token :

So it is just a custom header to track and debug postman requests in the receiving server

It doesn't do any authorization

Why no token in fiddler:

Because you haven't added it . You can add any custom header to the request you are sending

Why it works when used as bearer token

Because in your login call your session is cached . So for subsequent requests it is using cached session

To close the session , update the Connection header from keep-alive to close

Try setting second request to no auth:

and see if the request is still successful to confirm you are using cached session

edited Nov 25 '20 at 11:22

answered Nov 25 '20 at 11:05

PDHide

If there is no token in fiddler, then how is the user able to access secure parts of the api after logging in? – w0051977 Nov 25 '20 at 11:06
@w0051977 added that part – PDHide Nov 25 '20 at 11:07
Thanks for the update. Were is the session cached? – w0051977 Nov 25 '20 at 11:08
@w0051977 in server it depends on how the service is designed – PDHide Nov 25 '20 at 11:09
@w0051977 as you mentioned you are using username password for authentication so the session information would be getting stord in server – PDHide Nov 25 '20 at 11:10
Is this a different approach to bearer altogether? – w0051977 Nov 25 '20 at 11:10
@w0051977 you said you are using username password for the first request , – PDHide Nov 25 '20 at 11:10
Yes, I am. What bearing does that have? – w0051977 Nov 25 '20 at 11:11
@w0051977 so you are not using bearer token try setting authentication to no auth and see if the request is still successful so you can confirm that it is cached session and not using bearer – PDHide Nov 25 '20 at 11:13
How do you know I am not using bearer (thanks for answering the questions)? – w0051977 Nov 25 '20 at 11:15
I have asked another question here if you would like to take a look: https://stackoverflow.com/questions/65005279/cannot-load-webpage-from-postman-because-of-javax-faces-viewstate – w0051977 Nov 25 '20 at 13:07

1 Answers1