Postman Complete Guide: API Testing from Beginner to Advanced

Q: Is Postman free to use?

Postman offers a generous free tier that includes unlimited collections, environments, and history for individuals. The free plan includes 25 collection runs per month in the cloud and unlimited local runs. Paid plans add features like team collaboration, mock servers, and monitoring.

Q: Can I use Postman for automated testing in CI/CD?

Yes, use Newman (Postman's CLI tool) to run collections in CI/CD pipelines. Export your collections and environments as JSON files, then run them with Newman. Newman integrates with Jenkins, GitHub Actions, GitLab CI, Azure DevOps, and other CI/CD platforms.

Q: How do I share collections with my team?

Create a team workspace and move collections there for real-time collaboration. Alternatively, export collections as JSON files and share via version control (Git). You can also generate public documentation links for API consumers.

Q: What's the difference between environment and collection variables?

Environment variables switch between different configurations (dev/staging/prod URLs, API keys). Collection variables are specific to that collection and don't change between environments. Use environment variables for deployment-specific values and collection variables for collection-specific constants.

Q: Can Postman generate API documentation?

Yes, Postman can publish documentation directly from collections. Documentation includes request examples, descriptions, and sample responses. You can customize the styling, add markdown descriptions, and share public or private documentation links.

Q: How do I handle authentication that requires tokens from another request?

Use request chaining: In your login request's Tests tab, extract the token with pm.response.json().token and save it with pm.environment.set("authToken", token). Then use {{authToken}} in subsequent requests' Authorization headers.

Q: What libraries are available in Postman scripts?

Postman includes several built-in libraries: Lodash for utilities, crypto-js for cryptography, tv4 and ajv for JSON schema validation, moment for dates, uuid for generating UUIDs, and xml2js for XML parsing. You can also use pm.sendRequest() for making HTTP calls within scripts.

Q: Can I import API specs from Swagger/OpenAPI?

Yes, Postman imports OpenAPI (Swagger), RAML, GraphQL, and other API specification formats. Click Import and provide the spec file or URL. Postman creates a collection with all endpoints, parameters, and example requests based on the specification.

Parul Dhingra13+ Years ExperienceHire Me

Senior Quality Analyst

Updated: 1/23/2026

Postman has evolved from a simple Chrome extension for sending HTTP requests into a comprehensive API development and testing platform. Whether you're exploring a new API, building automated test suites, or collaborating with a team on API design, Postman provides tools that make the process intuitive and efficient.

This guide covers everything from basic request building to advanced automation techniques that transform Postman from a debugging tool into a full testing solution.

Table Of Contents-

What is Postman? - Getting Started - Making Requests - Collections and Organization - Variables and Environments - Writing Tests - Pre-request Scripts - Data-Driven Testing - Running Collections - Team Collaboration

What is Postman?

Postman is an API platform for building, testing, and documenting APIs. It's used by millions of developers worldwide for:

API Exploration: Send requests and inspect responses interactively
Automated Testing: Write and run API tests with JavaScript
Documentation: Generate API docs from collections
Mocking: Create mock servers for API prototyping
Collaboration: Share collections, environments, and work together

Versions:

Postman App: Desktop application (Windows, macOS, Linux)
Postman Web: Browser-based version with most features
Free Tier: Generous limits for individual and small team use

Getting Started

Installation

Download from postman.com (opens in a new tab) and install. Create a free account to sync collections across devices and access team features.

Interface Overview

┌─────────────────────────────────────────────────────────────┐
│  Sidebar          │  Request Builder                        │
│  ─────────        │  ──────────────                        │
│  • Collections    │  [GET ▼] [URL                    ][Send]│
│  • Environments   │                                         │
│  • History        │  Params | Auth | Headers | Body         │
│  • APIs           │  ─────────────────────────              │
│                   │  [Parameter input area]                 │
│                   │                                         │
│                   │  ═══════════════════════════════        │
│                   │  Response                               │
│                   │  Body | Headers | Test Results          │
│                   │  ─────────────────────────              │
│                   │  [Response content]                     │
└─────────────────────────────────────────────────────────────┘

Making Requests

Basic GET Request

Enter the URL: https://jsonplaceholder.typicode.com/users/1
Ensure method is GET
Click Send

The response appears below with:

Status code and time
Response headers
Response body (formatted JSON)

POST Request with JSON Body

Change method to POST
Enter URL: https://jsonplaceholder.typicode.com/users
Click Body tab
Select raw and JSON
Enter JSON:

{
  "name": "John Doe",
  "email": "john@example.com",
  "username": "johndoe"
}

Click Send

Request Components

Query Parameters: Use the Params tab or add directly to URL:

https://api.example.com/users?page=2&limit=10

Headers:

Content-Type: application/json
Authorization: Bearer your-token-here
Accept: application/json

Path Variables:

https://api.example.com/users/:userId/posts/:postId

Postman prompts for values when you use :variableName syntax.

Authentication

Postman's Auth tab supports multiple types:

Type	Use Case
No Auth	Public APIs
API Key	Key in header or query param
Bearer Token	OAuth 2.0 access tokens
Basic Auth	Username/password
OAuth 2.0	Full OAuth flow with token refresh

Setting authentication at the collection level automatically applies it to all requests within that collection, reducing repetition.

Collections and Organization

Collections are folders for organizing related requests.

Creating a Collection

Click New → Collection
Name it (e.g., "User API Tests")
Add description (supports Markdown)
Configure collection-level settings:
- Variables
- Authorization
- Pre-request scripts
- Tests

Organizing Requests

Structure collections logically:

User API Tests/
├── Authentication/
│   ├── Login
│   ├── Logout
│   └── Refresh Token
├── Users/
│   ├── List Users
│   ├── Get User by ID
│   ├── Create User
│   ├── Update User
│   └── Delete User
└── User Preferences/
    ├── Get Preferences
    └── Update Preferences

Saving Requests

Build your request
Click Save
Choose collection and folder
Name the request descriptively

Naming conventions:

GET List Users - Action + Resource
POST Create Order - Method + Operation
DELETE Remove Item from Cart - Descriptive action

Variables and Environments

Variables make collections portable and maintainable.

Variable Scopes

Global → Collection → Environment → Local
(Lowest priority)           (Highest priority)

Scope	Use Case
Global	Values used everywhere
Collection	Collection-specific values
Environment	Environment-specific (dev/staging/prod)
Local	Request-specific, temporary values

Creating Environments

Click Environments in sidebar
Click + to create new
Add variables:

Development Environment:
  baseUrl: https://dev-api.example.com
  apiKey: dev-key-12345

Production Environment:
  baseUrl: https://api.example.com
  apiKey: prod-key-67890

Using Variables

Reference variables with double curly braces:

URL: {{baseUrl}}/users
Header: Authorization: Bearer {{apiKey}}
Body: {"email": "{{testEmail}}"}

Setting Variables in Scripts

// Set environment variable
pm.environment.set('userId', 123)
 
// Set collection variable
pm.collectionVariables.set('authToken', 'abc123')
 
// Set global variable
pm.globals.set('timestamp', Date.now())
 
// Get variable value
const baseUrl = pm.environment.get('baseUrl')

Writing Tests

Tests verify API responses automatically. Write them in the Tests tab using JavaScript.

Basic Test Structure

pm.test('Status code is 200', function () {
  pm.response.to.have.status(200)
})
 
pm.test('Response time is less than 500ms', function () {
  pm.expect(pm.response.responseTime).to.be.below(500)
})
 
pm.test('Content-Type is JSON', function () {
  pm.response.to.have.header('Content-Type', 'application/json; charset=utf-8')
})

Response Body Tests

// Parse JSON response
const response = pm.response.json()
 
pm.test('User name is correct', function () {
  pm.expect(response.name).to.eql('John Doe')
})
 
pm.test('Email contains @', function () {
  pm.expect(response.email).to.include('@')
})
 
pm.test('User has required fields', function () {
  pm.expect(response).to.have.property('id')
  pm.expect(response).to.have.property('name')
  pm.expect(response).to.have.property('email')
})
 
pm.test('Returns array of users', function () {
  pm.expect(response).to.be.an('array')
  pm.expect(response.length).to.be.above(0)
})

Schema Validation

const schema = {
  type: 'object',
  required: ['id', 'name', 'email'],
  properties: {
    id: { type: 'number' },
    name: { type: 'string' },
    email: { type: 'string', format: 'email' },
  },
}
 
pm.test('Response matches schema', function () {
  pm.expect(tv4.validate(pm.response.json(), schema)).to.be.true
})
 
// Or using ajv (more modern)
const Ajv = require('ajv')
const ajv = new Ajv()
const validate = ajv.compile(schema)
 
pm.test('Schema validation', function () {
  pm.expect(validate(pm.response.json())).to.be.true
})

Chaining Requests

Extract values from responses to use in subsequent requests:

// In first request's Tests tab
const response = pm.response.json()
 
// Save token for next request
pm.environment.set('authToken', response.token)
 
// Save created user ID
pm.environment.set('userId', response.id)

// In second request, use the variable
// Header: Authorization: Bearer {{authToken}}
// URL: {{baseUrl}}/users/{{userId}}

Pre-request Scripts

Execute JavaScript before the request is sent.

Dynamic Data Generation

// Generate random email
const randomEmail = `user${Date.now()}@test.com`
pm.environment.set('testEmail', randomEmail)
 
// Generate UUID
const uuid = require('uuid')
pm.environment.set('requestId', uuid.v4())
 
// Set timestamp
pm.environment.set('timestamp', new Date().toISOString())
 
// Random number in range
const randomId = Math.floor(Math.random() * 100) + 1
pm.environment.set('randomUserId', randomId)

Authentication Token Refresh

// Check if token is expired
const tokenExpiry = pm.environment.get('tokenExpiry')
const now = Date.now()
 
if (!tokenExpiry || now > tokenExpiry) {
  // Token expired, refresh it
  const refreshToken = pm.environment.get('refreshToken')
 
  pm.sendRequest(
    {
      url: pm.environment.get('baseUrl') + '/auth/refresh',
      method: 'POST',
      header: {
        'Content-Type': 'application/json',
      },
      body: {
        mode: 'raw',
        raw: JSON.stringify({ refreshToken }),
      },
    },
    function (err, response) {
      const data = response.json()
      pm.environment.set('authToken', data.accessToken)
      pm.environment.set('tokenExpiry', now + data.expiresIn * 1000)
    },
  )
}

Compute Signatures

// HMAC signature for API authentication
const crypto = require('crypto-js')
 
const timestamp = Date.now().toString()
const requestBody = pm.request.body ? pm.request.body.raw : ''
const message = timestamp + requestBody
const secret = pm.environment.get('apiSecret')
 
const signature = crypto.HmacSHA256(message, secret).toString()
 
pm.environment.set('timestamp', timestamp)
pm.environment.set('signature', signature)

Data-Driven Testing

Run the same requests with different data using CSV or JSON files.

CSV Data File

Create testdata.csv:

username,email,expectedStatus
validuser,valid@test.com,201
invaliduser,,400
duplicate,existing@test.com,409

JSON Data File

Create testdata.json:

[
  { "username": "validuser", "email": "valid@test.com", "expectedStatus": 201 },
  { "username": "invaliduser", "email": "", "expectedStatus": 400 },
  {
    "username": "duplicate",
    "email": "existing@test.com",
    "expectedStatus": 409
  }
]

Using Data in Requests

Body:
{
    "username": "{{username}}",
    "email": "{{email}}"
}

Tests:
pm.test("Status matches expected", function () {
    pm.expect(pm.response.code).to.eql(pm.iterationData.get("expectedStatus"));
});

Running with Data

Click Run on the collection
Select data file (CSV or JSON)
Set iterations (or leave auto to match data rows)
Click Run

Running Collections

Collection Runner

Click Run button on collection
Configure:
- Environment
- Iterations
- Delay between requests
- Data file
Click Run [Collection Name]

Newman (CLI Runner)

Newman runs Postman collections from the command line - essential for CI/CD:

# Install Newman
npm install -g newman
 
# Run a collection
newman run collection.json
 
# With environment
newman run collection.json -e environment.json
 
# With data file
newman run collection.json -d testdata.csv
 
# With reporters
newman run collection.json -r cli,html --reporter-html-export report.html
 
# CI-friendly options
newman run collection.json \
    --environment production.json \
    --iteration-count 1 \
    --bail \
    --reporters cli,junit \
    --reporter-junit-export results.xml

⚠️

Export collections and environments as JSON files for Newman. Use Export from the collection menu in Postman.

CI/CD Integration

GitHub Actions example:

name: API Tests
on: [push, pull_request]
 
jobs:
  test:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
 
      - name: Install Newman
        run: npm install -g newman newman-reporter-htmlextra
 
      - name: Run API Tests
        run: |
          newman run tests/collection.json \
            -e tests/environment.json \
            --reporters cli,htmlextra \
            --reporter-htmlextra-export report.html
 
      - name: Upload Report
        uses: actions/upload-artifact@v3
        with:
          name: api-test-report
          path: report.html

Team Collaboration

Workspaces

Workspaces organize work and control access:

Type	Visibility
Personal	Only you
Private	Invited members
Team	All team members
Public	Anyone on internet

Sharing Collections

Move collection to shared workspace, or
Use Share button to generate link
Export as JSON for version control

Version Control Best Practices

project/
├── postman/
│   ├── collections/
│   │   └── api-tests.json
│   ├── environments/
│   │   ├── development.json
│   │   ├── staging.json
│   │   └── production.json
│   └── data/
│       └── testdata.csv
├── .github/
│   └── workflows/
│       └── api-tests.yml
└── README.md

API Versioning Strategy

Maintain separate collections per API version
Use environment variables for version numbers
Document breaking changes in collection descriptions

Postman bridges the gap between manual API exploration and automated testing. By mastering collections, environments, and scripting, you can build comprehensive test suites that run locally during development and automatically in CI/CD pipelines.

Quiz on Postman

Your Score: 0/10

Question: What is the correct syntax for referencing a variable in Postman?

${variableName}{{variableName}}$(variableName)%variableName%

Continue Reading

Frequently Asked Questions (FAQs) / People Also Ask (PAA)

Is Postman free to use?

Can I use Postman for automated testing in CI/CD?

How do I share collections with my team?

What's the difference between environment and collection variables?

Can Postman generate API documentation?

How do I handle authentication that requires tokens from another request?

What libraries are available in Postman scripts?

Can I import API specs from Swagger/OpenAPI?

JSON Schema Validation Newman CLI