--- title: Postman collection-level authorization description: Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the Authorization tab in Postman. Select an authorization Type on that tab and Postman offers a dialog to gather the information required by that Type. When you run a request, Postman uses the information from the Authorization tab to automatically add the necessary authorization header, body, or parameters to the request. component: pingone-api page_id: pingone-api:foundations:authentication-concepts/postman-collection-level-authorization canonical_url: https://developer.pingidentity.com/pingone-api/foundations/authentication-concepts/postman-collection-level-authorization.html section_ids: unexpected-authorization-failure: Unexpected authorization failure obtain-a-bearer-token-before-running-requests: Obtain a Bearer Token before running requests --- # Postman collection-level authorization Most APIs require authorization to ensure that client requests access data securely. Postman can pass along whatever authorization details necessary for the method demanded by the endpoint. You can manually include authorization data in the header, body, or as parameters to a request. However, the easiest way is to use the **Authorization** tab in Postman. Select an authorization **Type** on that tab and Postman offers a dialog to gather the information required by that **Type**. When you run a request, Postman uses the information from the **Authorization** tab to automatically add the necessary authorization header, body, or parameters to the request. Postman offers the **Authorization** tab on requests, folders, and collections. When you select an authorization method on a request, that method is used. But Postman does not require that you set a method on every request. Postman offers an additional choice: `Inherit auth from parent`. When this is selected on a request, Postman ascends the hierarchy of folders until it finds a folder, or the collection, where an authorization method is selected and uses that method for the request. In PingOne collections, the authorization method is defined at the collection level. Only those requests that require a specific authorization method have authorization defined on the request (roughly 10% of PingOne requests). This allows you to easily change the authorization used for most requests. | | | | - | ----------------------------------------------------------------------------------------------------------------------------------------------- | | | PingOne collections are defined with the Authorization tab **Type** as `Bearer Token`. This method is easy to use in a development environment. | ## Unexpected authorization failure The default Authorization tab **Type** for a collection in Postman is `No Auth`. If you copy a request from a PingOne collection into your own collection and the request fails with an authorization error, check the Authorization tab of your collection. If **Type** is `No Auth`, you have two choices: 1. Change the Authorization tab in Postman for your collection to your choice of **Type**, such as [Bearer Token](postman-collection-level-authorization/bearer-token.html) or [OAuth 2.0](postman-collection-level-authorization/oauth-2.0.html). 2. Change the Authorization tab in Postman for the request you copied to your choice of **Type**. ## Obtain a Bearer Token before running requests Before you can run requests in this documentation that use `Bearer Token` using a selected coding framework (available in the drop-down list), you must retrieve an access token. To retrieve an access token: 1. Run [Token Admin App (client\_credentials)](../../auth/openid-connect-oauth-2/token-admin-app-client_credentials.html#post-token-admin-app-client_credentials). 2. Copy `access_token` from the response. 3. Use the access token in subsequent requests until it expires. 4. Repeat these steps.