REW

How To Use PAT Token In Postman?

Published Aug 29, 2025 4 min read
On this page

To use a Personal Access Token (PAT) in Postman, you configure it as a Bearer Token under the request's Authorization tab. This is the most common method, as Postman automatically adds the required Authorization: Bearer <your-token> header to your requests. For better security and reusability, you should store the PAT in an environment or collection variable.

Method 1: Using the Authorization tab (recommended)

This approach is the most straightforward and secure, as it prevents you from accidentally exposing your token in request headers.

Step 1: Obtain your PAT

Before using a PAT in Postman, you must generate one from the service you want to access (e.g., GitHub, Azure DevOps, GitLab).

  1. Navigate to your account settings in the service's web interface.
  2. Find the "Personal Access Tokens," "Developer settings," or similar section.
  3. Generate a new token, providing it with a descriptive name and assigning the minimum necessary permissions (scopes). This follows the principle of least privilege.
  4. Copy the generated token value immediately. For security reasons, it will not be shown again.

Step 2: Set up a Postman environment (optional but recommended)

Using an environment variable allows you to easily switch between different tokens (e.g., for different projects or users) without modifying individual requests.

  1. In Postman, click the Environments button on the left sidebar.
  2. Click the + button to create a new environment.
  3. Give the environment a descriptive name (e.g., Azure DevOps Dev).
  4. In the variable table, add a new variable:
    • Variable: pat_token (or any name you prefer)
    • Initial Value: Paste the PAT you copied earlier.
    • Current Value: Paste the PAT again.
  5. Click Save.
  6. Select your new environment from the dropdown menu in the top right of the Postman interface.

Step 3: Configure the request

  1. Open or create a new request in Postman.
  2. Navigate to the Authorization tab, which is located below the request URL bar.
  3. From the Type dropdown, select Bearer Token.
  4. In the Token field, enter your environment variable by typing {{pat_token}}. If you skipped Step 2, you can paste the PAT directly here, though it is not recommended.
  5. Enter your API endpoint in the request URL bar.
  6. Click Send to make the request. The token will be automatically added to the Authorization header.

Method 2: Manually adding a header

If your API requires a different header prefix or if you prefer to set headers manually, you can use this method. This is also useful for troubleshooting.

  1. Create a new request or open an existing one in Postman.
  2. Go to the Headers tab.
  3. Add a new key-value pair:
    • Key: Authorization
    • Value: Bearer {{pat_token}} (or Bearer <your-pat-here>). Be sure to include the Bearer prefix and a space before your token.
  4. Send your request.

Method 3: Using Basic Auth for Azure DevOps (advanced)

Some services, like Azure DevOps, allow you to use a PAT with Basic Authentication instead of a Bearer token. In this case, the PAT is used as the password, and your username is ignored.

  1. Obtain your PAT from Azure DevOps following Step 1 of Method 1.
  2. In Postman, navigate to the Authorization tab of your request.
  3. Select Basic Auth from the Type dropdown.
  4. In the fields that appear:
    • Username: Any value (e.g., user or your email). It is disregarded by Azure DevOps when a PAT is used.
    • Password: Paste your PAT value. You can use an environment variable here as well ({{pat_token}}).
  5. Postman will automatically create and encode the required Authorization header for you.

Best practices and troubleshooting

  • Protect your tokens: Treat your PATs like passwords. Do not hard-code them directly into requests or share them publicly. Using environment variables is the best practice.
  • Set expiration dates: When generating a PAT, always set a short, reasonable expiration date. This minimizes risk if the token is compromised.
  • Limit scopes: Grant your token only the permissions (scopes) it absolutely needs. This minimizes the damage if the token is leaked.
  • Token not working? If your request returns an Unauthorized error (401), check the following:
    • Expiration: Has your token expired? You can check and regenerate it from your service's settings.
    • Scopes: Does the token have the correct permissions for the API endpoint you are calling?
    • Typo: Did you copy and paste the token correctly without extra spaces? Using an environment variable helps prevent copy-paste errors.
    • Bearer prefix: For Bearer tokens, make sure the Authorization header has the Bearer prefix followed by a space before the token.
  • Debug with the Postman Console: If your request fails, open the Postman Console (View -> Postman Console or Cmd/Ctrl + Alt + C). This will show you the exact request Postman sent, including headers, which can help you identify authorization issues.
Enjoyed this article? Share it with a friend.