Can I Publish my Collection's Documentation But Restrict Who Can Access It?

We’ve built out our documentation using Postman and are publishing it to a custom domain. Is there a way to only allow certain people to access the documentation?

Hi @amanda! At this time no, this is not possible. Here’s a statement from @abhinav, our CEO, about it:

Documentation is not a static HTML/CSS page that we can publish. There are several other systems that will complement docs as part of the full SaaS offering for Pro/Enterprise (annotations, versioning, real-time collaboration etc.). We’ll re-open this thread if plans change. I’d recommend using an external library for converting and hosting docs privately if needed.

If anything changes, we’ll be sure to publish it here and on our public roadmap! :sparkles:

We have the same need.

But I failed to get the reasoning here. “Documentation is not a static HTML/CSS page that we can publish” does not implies “It can not be password-protected”.
That would be a very valuable feature for our company.

Would it be possible, at least, to create postman users with doc-only access. These users should not be charged has they are not really team users.

1 Like

@amanda did you find a solution? There is a feature request (Documentation Password Protection) but it is stuck. We are thinking to move from Postman for the lack of this feature.

Guys I fixed it with some NGINX configuration and BasicAuth, I set TXT RECORD that provided by Postman for my domain in DNS resolver (Bind, Route53, …) and handle CNAME Record redirection with NGINX.

for example if you have a sub domain (ex: docs.example.com) that you want to show your Postman Published collections you should set a CNAME record which point to your host instead of
phs.getpostman.com so we can handle it with NGINX rather than DNS resolver.

So Now create an NGINX conf in /etc/nginx/conf.d or anywhere you install NGINX:

you can check these configuration on my Github gist https://gist.github.com/alshf89/8a7f34a13e87302306c7810406fba4a9

# IF you want to Setup ON SSL Configuration
server {
    listen       443 ssl;
    listen       [::]:443 ssl;
    server_name  docs.example.com;

    # SSL Configuration
    ssl_session_cache shared:SSL:1m;
    ssl_session_timeout 10m;
    ssl_certificate /path/to/fullchain.pem;
    ssl_certificate_key /path/to/privkey.pem;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_ciphers HIGH:!aNULL:!MD5;

    auth_basic  "Restricted Area";
    auth_basic_user_file /path/to/.htpasswd;

    location / {
        proxy_pass  https://phs.getpostman.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_intercept_errors on;
    }
}

# IF you want to Setup ON non-SSL Configuration
server {
    listen       80;
    listen       [::]:80;
    server_name  docs.example.com;

    auth_basic  "Restricted Area";
    auth_basic_user_file /path/to/.htpasswd;

    location / {
        proxy_pass  https://phs.getpostman.com;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_http_version 1.1;
        proxy_intercept_errors on;
    }
}

Hope it helps someone.

@alshf89 Thanks for sharing this! Greatly appreciated!

We we’re looking at the exact same thing. I’ve made a docker image to make it a bit easier to deploy (I’ll share the image when everything is working).

However… I just published the documentation and I noticed something in the success message in Postman. Perhaps you’ve also seen this?

Besides the custom URL, Postman is also showing a public URL like so:
https://documenter.getpostman.com/view/12345678/ABCX1235

I’ve Googled the domain and these are definitely getting indexed so that would be defeating the authentication purpose.

So… question is: what now?

I’ve been also experimenting with a way to export the collection json to HTML using various tools:


But that means you would need to rebuild the documentation every time you make a change. Of course that could be automated too, but still it makes everything more cumbersome.

@alshf89

In addition, here’s where I first noticed the link (of course after doing all the work first…), it’s tucked away in the pop-over notification which only appears for a brief moment. You should see it after publishing or re-publishing:

Hidden%20Link

“public documentation” has the https://documenter.getpostman.com/… link.