Laravel Authorisation in Postman

Postman is a fantastic tool for testing API endpoints. If you’re developing an API project or web application in Laravel, either as part of a team, or on your own, there’s no doubt that Postman is an application you’ll want in your developers tool kit.

For those that don’t know, Postman is an API Development Environment, allowing you to hit your API endpoints and test the responses from your GET, PUT, POST and DELETE (and many more) request types.

If you’re developing a Laravel application that authenticates via a bearer token however, things can get a bit tricky. Authorisation is what makes your app secure, allowing you to control who can see what information.

The issue with authentication and Postman is that, if you have an API route that is protected by an Auth Guard (or some other form of Authorisation Middleware) you won’t be able to test that endpoint without any bearer token or authorisation header.

Not all is lost, however! There are a few tricks you can apply to your Postman environment to get around this.

The first step to making your life easier with auth and Postman is to set up an environment for your application or API project. Click on the cog wheel located to the top-right of your Postman window and create a new environment.

The beauty of environments in Postman, is that it allows you to create globally accessible variables that all your new requests can access. Click into your environment and set the following two global variables, then save and exit the dialog.

Now that you have these environment variables setup, we can use them as part of logging into my application, in order to make requests to other endpoints.

Create a new POST request to your login route. Mine will be:

https://social.app/login

Note I’m using a secure connection to my app. By default, Postman will check for SSL certificate verification. If you’re using https like me, then you’ll need to head over to the applications settings and turn this off.

In the Headers tab, you’ll need to send the Content-Type header parameter and ensure that it accepts application/json.

My login route accepts a username and a password input from a form I’ve built on the frontend. You’ll need to send this information to the server to log you in.

{
"email_address":"example@social.app",
"password":"password1234",
}

After running this, depending on what response you’ve set up in you LoginController, you should get back an access_token, refresh_token and the token_type.

Testing & Persistence

Another great feature of Postman, is that you have the ability to test your responses to make sure that you’re getting back what you expect, just like with PHPUnit. Except that with Postman, you can also use you tests to alter your environment variabls. If I wanted to test that I get back a 200 after I log in with valid user credentials, my test code would look something like this:

pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
});

and if I wanted to check that I had received and access_token it would look similar to this:

pm.test("We get back a token type of Bearer", function () {
pm.expect(data.token_type).to.equal("Bearer");
});
pm.test("We get back an access token", function () {
pm.expect(data.access_token).to.not.equal("");
pm.expect(data.access_token).to.not.equal(null);
});

This checks two things. One is that we get back a Bearer token, not some other form of access token. The second test checks that the value for the access_token is not an empty string, and that we don’t get back a null value for the bearer token.

Persisting environment variables in Postman is easy and you can do it, by adding one line of code to one of our test scripts:

pm.test("Status code is 200", function () {
pm.response.to.have.status(200);
pm.environment.set("access_token", data.access_token);
});

Given that the status code is 200, set the access_token in our environment.

Voila! All you need to do is set the authorisation type in your request to Bearer Token and set the token to your environment variable {{access_token}}.

--

--

I’m a full stack developer, specialising in Laravel. I prefer to use React, especially with Next.is, but can also develop in Vue. I’m also an amateur guitarist.

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Joel Butcher

I’m a full stack developer, specialising in Laravel. I prefer to use React, especially with Next.is, but can also develop in Vue. I’m also an amateur guitarist.