How should personal credentials be used with shared collections/workspaces?

collections
security
teams

#1

Teams often need to share collections among users, with each user having his/her own credentials to access the API. In this case, updates to the collection (the API definition/workflow) should be synced across users, but the private credentials should not.

Since everything in shared workspaces is shared, the recommended workflow here is to utilize sessions (https://learning.getpostman.com/docs/postman/environments_and_globals/sessions/). Sessions let each user use the ‘current value’ column in the environment which isn’t shared with anyone. The ‘initial value’ for variables can be set to something like <insert your personal key here>. Since only ‘initial values’ are synced to workspace members, users can safely rely on the ‘current value’ to protect their personal credentials.

Alternatively, each user can share relevant collections from the shared team workspace into their personal workspace. This will mean that the collection will continue to receive updates made by other users (since it’s shared), but environments created in the personal workspace will not be shared (and be private to the user who created them).


#2

This might be a good case to use global variables. Each user can setup their own credentials for themselves and they wont be shared. It would just have to be known that the User/Password would be coming from the Global instead of the Environment. It might not be best practice but it would certainly work.