Rotate your API Key
Postman's API keys are designed to expire automatically and require regular rotation. An expired key will not be able to access Postman's APIs. To support key rotation, users can create multiple valid API keys per account.
- API keys that had been created prior to our multiple API key feature will expire on 21 April 2024, 08:00 GMT+8.
- Newly created API keys will expire 6 months after creation.
We encourage users to rotate API keys even more frequently if possible.
There are two scenarios where API key rotation is necessary.
First, the longer the validity period of an API key, the more vulnerable it is to risk of theft or unintentional disclosure. As a general security practice, API keys should be rotated regularly to mitigate this risk, even when there has been no known breach.
Second, if an unauthorised disclosure of an API key is discovered, API key rotation should be performed as soon as possible to prevent unauthorised usage of the API key.
Follow these steps to rotate your API key:
- 2.Update the API key used in your system to the new one and, if necessary, restart your system to load the new value.
- 3.Remove the old API key from your account by clicking the corresponding delete button in Postman's
Please ensure that you are deleting the correct API key.
Please make sure that the above steps are followed in the correct order. Otherwise, your system might experience disruption.
Before your API key expires, we will attempt to notify you of the impending expiry using the contact emails provided when creating your API key.
The notification schedule is as follows:
- 1 month before the expiry date
- 2 weeks before the expiry date
- 3 days before the expiry date
- 1 day before the expiry date