Postman Agent Skill
Full API lifecycle management through the Postman MCP Server. Sync specs, generate code, run tests, create mocks, publish docs, and audit security.
Version: 2.0.1
Requires: Postman MCP Server
Prerequisites
This skill requires the Postman MCP Server to be configured. The MCP server exposes 111+ tools for interacting with Postman workspaces, collections, specs, environments, mocks, monitors, and more.
Setup check: Call
via MCP. If it succeeds, you're connected. If it fails, walk through Setup below.
Important: MCP Tool Behavior
Before using the workflows below, be aware of these behaviors:
- returns ALL workspaces. For large organizations this can be 300KB+. If you already have a workspace ID, use
getWorkspace(workspaceId)
- default response is a lightweight map with (folder/request tree). This is efficient for discovery. Only use when you need complete request/response bodies, and be aware it can exceed 300KB for large collections. Prefer targeted and calls for specific endpoints.
- returns 404 for missing tags, not an empty array. Handle this gracefully. Tag functionality may require an Enterprise plan.
- returns aggregate results only (total requests, passed, failed, duration). It does NOT return per-request detail or error messages. For debugging specific failures, examine individual requests with and after the run.
- only searches the PUBLIC Postman network, not private workspaces. Always search private workspace first with .
Setup
If MCP tools are not available or
fails:
-
Get a Postman API key:
- Go to https://postman.postman.co/settings/me/api-keys
- Click "Generate API Key", name it "Claude Code"
- Copy the key (starts with PMAK-)
-
Set the environment variable:
export POSTMAN_API_KEY=PMAK-your-key-here
-
Verify: Call
. On success, call
to list workspaces, then
with the workspace ID to count resources.
Present:
Connected as: <user name>
Your workspaces:
- My Workspace (personal) - 12 collections, 3 specs
- Team APIs (team) - 8 collections, 5 specs
You're all set.
Routing
When the user's request involves Postman or APIs, match their intent to the correct workflow below. Always prefer these structured workflows over raw MCP tool calls.
| User Intent | Workflow |
|---|
| Import a spec, push spec to Postman, create collection from spec, sync, push changes | Sync Collections |
| Generate client code, SDK, wrapper, typed client, consume an API | Generate Client Code |
| Find API, search endpoints, what's available, discover APIs | Discover APIs |
| Run tests, check if tests pass, validate API, test collection | Run Collection Tests |
| Create mock server, fake API, mock for frontend, mock URL | Create Mock Servers |
| Generate docs, improve documentation, publish docs, API docs | API Documentation |
| Security audit, vulnerabilities, OWASP, security check | API Security Audit |
| Is my API agent-ready?, scan my API, analyze spec for AI | Use the postman-api-readiness skill |
Routing rules:
- Specific workflows take priority. If intent clearly maps to one, use it.
- Ambiguous requests: ask the user what they need.
- Multi-step requests chain workflows. "Import my spec and run tests" = Sync then Test.
- Only use tools directly for single targeted updates or when the user explicitly asks.
Workflow: Sync Collections
Keep Postman collections in sync with API code. Create new collections from OpenAPI specs, update existing ones, or push endpoint changes.
Step 1: Understand What Changed
Detect or ask:
- Is there a local OpenAPI spec? Search for
**/openapi.{json,yaml,yml}
**/swagger.{json,yaml,yml}
- Did the user add/remove/modify endpoints?
- Is there an existing Postman collection to update, or do they need a new one?
Step 2: Resolve Workspace
If the user provides a workspace ID, call
getWorkspace(workspaceId)
directly. Otherwise, call
with a workspace ID if known, or ask the user which workspace to use. Avoid calling
(no filter) on large org accounts as it returns all workspaces (300KB+).
Step 3: Find or Create the Collection
Updating an existing collection:
- Call with the parameter
- Match by name or ask which collection
- Call to get current state
Creating from a spec:
- Read the local OpenAPI spec
- Call with , , (one of , , , ), and (array of )
- Call from the spec. This is async (HTTP 202). Poll
getGeneratedCollectionSpecs
- Call with variables from the spec:
- from
- Auth variables from (mark as )
- Common path parameters
Step 4: Sync
Spec to Collection (most common):
- Call or with local spec content
- Call to update the collection. Async (HTTP 202). Poll
getCollectionUpdatesTasks
- Note: only supports OpenAPI 3.0. For Swagger 2.0 or OpenAPI 3.1, use and regenerate via .
- Report what changed
Collection to Spec (reverse sync):
- Call to update the spec from collection changes
- Write the updated spec back to the local file
Manual updates (no spec):
- to add new endpoints
- to modify existing ones
- to organize by resource
- to add example responses
Step 5: Confirm
Collection synced: "Pet Store API" (15 requests)
Added: POST /pets/{id}/vaccinations
Updated: GET /pets - added 'breed' filter parameter
Removed: (none)
Environment: "Pet Store - Development" updated
Spec Hub: petstore-v3.1.0 pushed
Workflow: Generate Client Code
Generate typed client code from Postman collections. Reads private API definitions and writes production-ready code matching the project's conventions.
Step 1: Find the API
- If workspace ID is known, call
getWorkspace(workspaceId)
- Call with parameter. Use filter if specified.
- If no results in private workspace, fall back to (public network only)
- Call for the lightweight map (default, no param)
- Call if a linked spec exists (richer type info)
Step 2: Understand the API Shape
For each relevant endpoint:
- Call for resource grouping
- Call for method, URL, headers, auth, body schema, parameters
- Call for status codes, response shapes, error formats
- Call for base URLs and variables
- Call
getCodeGenerationInstructions
Step 3: Detect Project Language
If not specified, detect from the project:
- or -> TypeScript/JavaScript
- or -> Python
- -> Go
- -> Rust
- or -> Java
- -> Ruby
Step 3b: Check for Variable Mismatches
Compare collection variables with environment variables. Common issue: collection uses
but environment defines
(or vice versa). Flag any naming mismatches to the user before generating code, as these cause silent failures at runtime.
Step 4: Generate Code
Generate a typed client with:
- Method per endpoint with proper parameters
- Request/response types from collection schemas
- Authentication handling from collection auth config
- Error handling based on documented error responses
- Environment-based configuration (base URL from env vars)
- Pagination support if the API uses it
Code conventions:
- Match the project's existing style (imports, formatting, naming)
- Include JSDoc/docstrings from collection descriptions
- Use the project's HTTP library if one exists (axios, fetch, requests, etc.)
- Write to a sensible path (e.g.,
src/clients/<api-name>.ts
Step 5: Present
Generated: src/clients/users-api.ts
Endpoints covered:
GET /users -> getUsers(filters)
POST /users -> createUser(data)
GET /users/{id} -> getUser(id)
PUT /users/{id} -> updateUser(id, data)
DELETE /users/{id} -> deleteUser(id)
Types generated: User, CreateUserRequest, UpdateUserRequest, UserListResponse, ApiError
Auth: Bearer token (from USERS_API_TOKEN env var)
Base URL: from USERS_API_BASE_URL env var
Workflow: Discover APIs
Answer natural language questions about available APIs across Postman workspaces. Find endpoints, check response shapes, understand what's available.
Step 1: Search
- If workspace ID is known, call
getWorkspace(workspaceId)
- Call with parameter. Use filter to narrow.
- If sparse, broaden:
- as fallback (public network only, not private workspaces)
- Note: and may return 404/403 on non-Enterprise plans. Do not rely on these for discovery.
Step 2: Drill Into Results
For each relevant hit:
- for overview (default returns lightweight map with , not full payloads)
- Scan endpoint names from the map to identify relevant folders/requests
- for specific relevant endpoints (targeted, not bulk)
- for specific response data
- if linked spec exists
Step 3: Present
Found:
Yes, you can get a user's email via the API.
Endpoint: GET /users/{id}
Collection: "User Management API"
Auth: Bearer token required
Response includes:
{ "id": "usr_123", "email": "jane@example.com", "name": "Jane Smith" }
Want me to generate a client for this API?
Not found: Show closest matches and explain why they don't match.
Multiple results: List collections with endpoint counts, ask which to explore.
Workflow: Run Collection Tests
Execute Postman collection tests, analyze results, diagnose failures, and suggest fixes.
Step 1: Find the Collection
- If workspace ID is known, call
getWorkspace(workspaceId)
- Call with parameter. Use filter if specified.
Step 2: Run Tests
Call
with the collection UID in
format (from
response's
field).
If environment variables are needed:
- Call to list available environments
- Ask which to use or detect from naming convention
- Pass the environment ID to
Step 3: Parse Results
Note: returns aggregate results only (total requests, passed/failed counts, duration). It does NOT include per-request detail. Present what's available:
Test Results: Pet Store API
Requests: 15 executed
Failed: 3
Assertions: 24 total, 21 passed
Duration: 12.4s
If tests failed and per-request detail is needed, examine the collection's test scripts and request definitions with
to help diagnose. The user may also need to check the Postman app or a monitor run for detailed failure logs.
Step 4: Diagnose Failures
For each failure:
- for full request definition
- for expected responses
- Check if API source code is in the current project
- Explain expected vs actual
- If code is local, find the handler and suggest the fix
Step 5: Fix and Re-run
After fixing: offer to re-run and show before/after comparison.
Step 6: Update Collection (if needed)
If the tests themselves need updating:
- to fix request bodies, headers, or test scripts
- to update expected responses
Workflow: Create Mock Servers
Spin up a Postman mock server from a collection or spec. Get a working mock URL for frontend development, integration testing, or demos.
Step 1: Find the Source
If workspace ID is known, call
getWorkspace(workspaceId)
directly. Otherwise ask the user.
From existing collection: with workspace ID -> select target collection
From local spec: Import first:
- with workspace, name, type, files
- . Async (HTTP 202). Poll
getGeneratedCollectionSpecs
Step 2: Check for Examples
Mock servers serve example responses. Call
and check if requests have saved responses.
If missing, generate realistic examples:
- for each request's schema
- Generate realistic example response from the schema
- to save the example
Step 3: Check for Existing Mocks
Call
to check if one already exists for this collection. If found, present its URL. Only create new if none exists or explicitly requested.
Step 4: Create Mock Server
- Workspace ID
- Collection UID in format (from response's field)
- Environment ID (if applicable)
- Name:
- Private: false (or true if preferred)
Step 5: Present
Mock server created: "Pet Store API Mock"
URL: https://<mock-id>.mock.pstmn.io
Status: Active
Try it:
curl https://<mock-id>.mock.pstmn.io/pets
curl https://<mock-id>.mock.pstmn.io/pets/1
curl -X POST https://<mock-id>.mock.pstmn.io/pets -d '{"name":"Buddy"}'
The mock serves example responses from your collection.
Update examples in Postman to change mock behavior.
Step 6: Integration
Quick integration:
# Add to your project .env
API_BASE_URL=https://<mock-id>.mock.pstmn.io
# Or in your frontend config
const API_URL = process.env.API_BASE_URL || 'https://<mock-id>.mock.pstmn.io';
Step 7: Publish (optional)
If the user wants public access:
- for unauthenticated access (demos, hackathons, public docs)
- to make private again
Workflow: API Documentation
Analyze, improve, and publish API documentation from OpenAPI specs and Postman collections.
Step 1: Find the Source
Check for API definitions in order:
Local specs: Search for
**/openapi.{json,yaml,yml}
,
**/swagger.{json,yaml,yml}
Postman specs: with workspace ID, then
for full spec
Postman collections: then
for full detail
Step 2: Analyze Completeness
Documentation Coverage: 60%
Endpoints with descriptions: 8/15
Parameters with descriptions: 22/45
Endpoints with examples: 3/15
Error responses documented: 2/15
Authentication documented: Yes
Rate limits documented: No
Step 3: Generate or Improve
Sparse spec: Generate documentation for each endpoint (summaries, parameter tables, request/response schemas, examples, error docs, auth requirements).
Partial spec: Fill gaps (add missing descriptions inferred from naming/schemas, generate realistic examples, add error responses, document auth and rate limits).
Step 4: Apply Changes
Ask the user which output:
- Update the spec file - Write improved docs back into OpenAPI spec
- Update in Postman - to add descriptions and examples
- Publish public docs - with collection ID, returns public URL. to take down.
- Generate markdown - Create for the project
Step 5: Sync
If both spec and collection exist, keep in sync:
- to update collection from spec (async, OpenAPI 3.0 only)
- to update spec from collection changes
Workflow: API Security Audit
Audit APIs for security issues against OWASP API Security Top 10. Works with local OpenAPI specs and Postman collections.
Step 1: Find the Source
Local spec: Search for OpenAPI/Swagger files in the project
Postman collection: then
including auth config. Also
to check for exposed secrets.
Step 2: Run Security Checks
Authentication and Authorization:
- Security schemes defined (OAuth2, API Key, Bearer, etc.)
- Security applied globally or per-endpoint
- No accidentally unprotected endpoints
- OAuth2 scopes defined and appropriate
- Admin endpoints have elevated auth
Transport Security:
- All server URLs use HTTPS
- No mixed HTTP/HTTPS
Sensitive Data Exposure:
- No API keys, tokens, or passwords in example values
- No secrets in query parameters (should be headers/body)
- Password fields marked as
- PII fields identified
- Postman environment variables checked for leaked secrets (via )
Input Validation:
- All parameters have defined types
- String parameters have
- Numeric parameters have /
- Array parameters have
- Enum values used where applicable
- Request body has required field validation
Rate Limiting:
- Rate limits documented
- Rate limit headers defined (X-RateLimit-Limit, X-RateLimit-Remaining)
- 429 response defined
Error Handling:
- Error responses don't leak stack traces
- Error schemas don't expose internal field names
- 401 and 403 responses properly defined
OWASP API Top 10:
- API1: Broken Object Level Authorization
- API2: Broken Authentication
- API3: Broken Object Property Level Authorization
- API4: Unrestricted Resource Consumption
- API5: Broken Function Level Authorization
- API6: Unrestricted Access to Sensitive Business Flows
- API7: Server Side Request Forgery
- API8: Security Misconfiguration
- API9: Improper Inventory Management
- API10: Unsafe Consumption of APIs
Step 3: Present Results
API Security Audit: pet-store-api.yaml
CRITICAL (2):
SEC-001: 3 endpoints have no security scheme applied
- GET /admin/users
- DELETE /admin/users/{id}
- PUT /admin/config
SEC-002: Server URL uses HTTP (http://api.example.com)
HIGH (3):
SEC-003: No rate limiting documentation or 429 response
SEC-004: API key sent as query parameter (use header instead)
SEC-005: No maxLength on 8 string inputs (injection risk)
MEDIUM (2):
SEC-006: Password field visible in GET /users/{id} response
SEC-007: Environment variable 'db_password' not marked secret
Score: 48/100 - Significant Issues
Step 4: Fix
For each finding:
- Explain the security risk in plain terms
- Show the exact spec change needed
- Apply the fix with user approval
For Postman-specific issues:
- to mark secrets properly
- to fix auth configuration
- to remove sensitive data from examples
Step 5: Re-audit
After fixes, re-run to show improvement.
Error Handling
These patterns apply across all workflows:
| Error | Response |
|---|
| MCP tools not available | "The Postman MCP Server isn't configured. Set your POSTMAN_API_KEY environment variable and restart your editor." |
| 401 Unauthorized | "Your Postman API key was rejected. Generate a new one at https://postman.postman.co/settings/me/api-keys" |
| Network timeout | Retry once. Check https://status.postman.com for outages. |
| Async operation stuck | If polling shows no progress after 30 seconds, inform user and suggest checking Postman app directly. |
| Collection not found | "No collection matching that name. Try discovering APIs across your workspace." |
| Empty collection | "This collection has no requests. Add endpoints in Postman or sync from a local spec." |
| Invalid spec | Report specific parse errors with line numbers. Offer to fix common YAML/JSON syntax issues. |
| Plan limitations | "Some features may require a paid Postman plan. Core operations work on all plans." |
MCP Tool Reference
See
for the complete tool catalog and
references/mcp-limitations.md
for known limitations and workarounds.