API keys must be rotated regularly

Postman's API keys are designed to expire automatically and require regular rotation. An expired key will not be able to access Postman's APIs. To support key rotation, users can create multiple valid API keys per account.

• API keys that had been created prior to our multiple API key feature will expire on 21 April 2024, 08:00 GMT+8.

• Newly created API keys will expire 6 months after creation.

• Please rotate your API key through our new site https://legacy.postman.gov.sg/

We encourage users to rotate API keys even more frequently if possible.

Why is API key rotation necessary?

There are two scenarios where API key rotation is necessary.

First, the longer the validity period of an API key, the more vulnerable it is to risk of theft or unintentional disclosure. As a general security practice, API keys should be rotated regularly to mitigate this risk, even when there has been no known breach.

Second, if an unauthorised disclosure of an API key is discovered, API key rotation should be performed as soon as possible to prevent unauthorised usage of the API key.

How to rotate an API key

Follow these steps to rotate your API key:

1. (Updated 1 Apr 2024) Login to Postman v1 via https://legacy.postman.gov.sg/

2. Create a new API key. See this page for step-by-step instructions.

3. Update the API key used in your system to the new one and, if necessary, restart your system to load the new value.

4. Remove the old API key from your account by clicking the corresponding delete button in Postman's Settings page.

Notification Schedule

Before your API key expires, we will attempt to notify you of the impending expiry using the contact emails provided when creating your API key.

The notification schedule is as follows:

• 1 month before the expiry date

• 2 weeks before the expiry date

• 3 days before the expiry date

• 1 day before the expiry date