Programmatically set the secret variable type

[DannyDainton]

Is there an existing request for this feature?

• [X] I have searched the existing issues for this feature request

Is your feature request related to a problem?

With the great addition of the secret variable type in the platform, users can now set the type manually through the UI but having the ability to set them via a script would round out the flow. By manually setting it, you would be exposing that 'secret' value to over the shoulder attacks until you have set the type and then hit save to mask the value.

The .set() function already has a 3rd optional arg for the type but as 'secret' isn't in the Variable Types it would fallback to 'default'.

Describe the solution you'd like

Using the sandbox environment to set the variable type. A basic example of getting an access token value from a response body and then setting this as a secret variable:

let token = pm.response.json().access_token;
pm.environment.set('token', token, 'secret');

Describe alternatives you've considered

The Postman API can be used to programmatically set the type which could be done in a script using the pm.sendRequest() function but that seems a bit too long-winded to achieve what could be done in the set() function.

var options = {
  'method': 'PUT',
  'url': 'https://api.getpostman.com/environments/{{environment_uuid}}',
  'header': {
    'X-Api-Key': 'XXXX',
    'Content-Type': 'application/json'
  },
  body: JSON.stringify({
    "environment": {
      "name": "Test Environment",
      "values": [
        {
          "key": "token",
          "value": "ABC123",
          "type": "secret"
        }
      ]
    }
  })

};
pm.sendRequest(options, function (error, response) {
  if (error) throw new Error(error);
  console.log(response.json());
});

Additional context

No response

[YevheniiPokhvalii]

Any updates? I have a script that takes secret keys from global variables in postman and creates their corresponding base64 encoded keys in global variables but I'm not able to mask them programmatically. They are created as plain text base64 encoded values.

[andrhamm]

:shipit: please

[Vikmanatus]

Hello to everyone 🙂

I am struggling with the same issue, I've search everywhere but I didn't found out any answers 🙁

Is there any workaround to fix this ?

Best regards

[lucianamerege]

I would like to know as well

[shaike41]

Same here...

[umizu]

Same...

[thomasinc]

+1 REQUIRED

[dan668061]

+1

[makar-melikyan-wmg]

+1

[nordquist]

+1

[gies74]

+1

[noead01]

+1

[ansghof]

+1

[F1ashhimself]

+1

[CSaratakij]

+1

[WJones132]

+1

[adamabernathy]

Same, this is a hard stop with us developing some of our new APIs.

[dzarkV]

same issue

[evantoli]

The suggestion in the description ☝️ was for something like:

let token = pm.response.json().access_token;
pm.environment.set('token', token, 'secret');

I would also be happy with a specific method called setSecret(...):

let token = pm.response.json().access_token;
pm.environment.setSecret('token', token);

[vishalmrode]

Facing the similar issue. Tried to set the type programmatically, no luck.

Any updates/solution on this?

pm.test("Management Access token is received and will be set as environment variable", () => {
    const jsonData = pm.response.json();
    pm.expect(jsonData).to.have.property('access_token');
    pm.environment.set('management_access_token', jsonData.access_token,'secret')
});

[colin-stubbs]

+1 I would like this feature.

[TianxiangR]

+1

[rhynzler]

+1

[stephen-mogensen]

+1

Would love this feature

[irby]

+1

[adwaitsky]

+1 would like to have this feature

[TigranZalian]

+1

[leokdi]

+1

[primax79]

no news?

[BradCandell]

+5

[lasse-seivaag]

+1

[wirmi]

+1

[cedrictwillie]

+1

[nshoemaker-elfin]

still open after over two years?

[F1ashhimself]

@nshoemaker-elfin nobody cares about community

[DavidAbderhalden]

+1

[prvn82]

I tried using pm.environment.set("token", pm.variables.replaceIn(token), pm.environment.toObject(), "secret"); as suggested by ChatGpt --but it did not work

[cleary-wolters-kr]

+1

[Vikmanatus]

I think I might have found a solution to this, but I need to find on which project it was and test it again to ensure it would still work properly today.

I'll keep you in touch by the end of the week

[garrucho]

@Vikmanatus, did you had a chance to take a look at that? 👀

btw, +1

[julienfradillon]

+1

[DannyDainton]

Hey folks 👋🏻

Just providing some additional information since it been a while since I opened this issue.

With V11, we have introduced the Postman Vault, which allows you to store your sensitive data in an encrypted local vault that is not synced with the Postman Cloud. Also, we have added multiple security features to help prevent accidental exposure of your API credentials.

The secret type is basically giving a false sense of security for those sensitive values. It's essentially only masking that data in the UI, it's not encrypted and is still sent as plain text.

[garrucho]

Note that you can't set or access vault secrets in scripts. (source)

This is very sad, as I have credentials coming through the return of an API, so I won't be able to enhance my security. 🤡

[steffennilsen]

The secret type is basically giving a false sense of security for those sensitive values. It's essentially only masking that data in the UI, it's not encrypted and is still sent as plain text.

It would still be valuable for short lived secrets like access tokens

[Ferrb9579]

+1

[santiago-salinas]

+1