Improve API security and collaboration with 1Password and Postman

Starting today, you can access API tokens and other secrets stored in 1Password directly in your Postman workspaces and collections. The integration is available in Postman Enterprise plans with the Advanced Security Administration add-on and can be accessed in the Postman Canary release. It will be available in the stable build in the coming weeks.

Postman is the leading API platform used by more than 30 million developers to build and work with APIs. Postman simplifies each step of the API lifecycle and streamlines collaboration so you can create better APIs, faster.

The team at Postman was an early partner and tester in the 1Password SDKs private beta, and built the new integration with 1Password using the 1Password Javascript SDK. Developers can use the SDKs to securely retrieve secrets stored in 1Password natively in their apps, whether integrating with an API, accessing infrastructure secrets, or building their own integrations with 1Password.

How it works

First, create a service account using 1Password.com or 1Password CLI. We recommend saving the service account token into one of your 1Password vaults to reference later. (Note: 1Password Business users may need to ask their account administrator to set up a service account with access to shared vaults.)

Next, head over to Postman Vault and start adding a vault secret. Give it an appropriate name (under the Key column) and then click the Vault Integration Icon in the Value field.

Choose 1Password from the dropdown and enter your 1Password Service Account token.

Now you can configure your secret by copying the 1Password Secret Reference for the API key or other secret stored in 1Password. The secret reference is of the form op://<vault-name>/<item-name>[/<section-name>]/<field-name>.

You can reference vault secrets in your Postman collections and requests from the URL builder, the Params tab, the Authorization tab, the Headers tab, and the Body tab.

Enclose the vault secret in double curly braces ({{ }}) and prefix the secret name with vault: to reference it throughout your Postman team. For example, to reference a secret named “openai-api-key”, use the following syntax: {{vault:openai-api-key}}.

Improving API security and collaboration

APIs are the connective tissue of modern applications. By some estimates up to 83% of internet traffic is from APIs. Unfortunately, this can also make them appealing targets for malicious actors. Multiple high-profile breaches over the past year illustrate the importance of protecting API keys.

By providing an integrated vault experience, Postman and 1Password help streamline and secure developer workflows, ensuring APIs are protected every step of the way:

• Available everywhere: You can sync and access your Postman workspace on every device without having to set up access to your API keys and secrets again. Whenever you need to make an API request, your API keys will be available in Postman.
• Easier collaboration: Teams that collaborate in a workspace can easily reproduce each other’s requests without additional setup. If they use a shared vault in 1Password to share access secrets, they can easily reproduce requests without any additional configuration.
• Reduced security gaps: Secrets are end-to-end encrypted in 1Password so no one else can access them – including Postman and 1Password. This helps secure secrets and prevents them from accidentally leaking in configuration files or other plaintext files saved to your local disk.

Build your own integration with 1Password SDKs

Postman was one of our first partners to test and build with the new 1Password SDKs for Golang, Javascript, and Python. Currently in private beta, 1Password SDKs provide native language functionality to access and work with secrets stored in 1Password encrypted vaults.

“The 1Password SDK takes the hassle out of integrating 1Password Vault into your app,” says Pranav Joglekar, Software Engineer at Postman. “With a streamlined setup process, it’s up and running in no time. So, we (developers) can focus on building amazing apps while the 1Password SDK handles the rest, improving overall efficiency.”

Whether you’re building an integration, or just want to securely make an API request in your code, you can use 1Password SDKs to access secrets stored in your 1Password vaults.

Sign up for the 1Password Developer Newsletter or join the 1Password Developer Slack Community for updates about the public beta, and for the latest product updates and news for developers from 1Password.

We can’t wait to see what you build!

Simon Barendse and Andrew Stiefel