postman

Original🇺🇸 English
Translated

Full API lifecycle management through Postman. Sync OpenAPI specs to collections, generate typed client code, run API tests, create mock servers, publish documentation, audit security against OWASP Top 10, and discover APIs across workspaces. Requires the Postman MCP Server. Use this skill when the user mentions Postman, API collections, syncing specs, generating SDKs, running API tests, creating mocks, API documentation, or API security audits. Triggers on tasks involving API development workflows, collection management, or any Postman-related operations.

2installs
Sourcepostman-devrel/agent-skills
Added on

NPX Install

npx skill4agent add postman-devrel/agent-skills postman

Tags

Translated version includes tags in frontmatter
postman-apiapi-lifecycleapi-testingmock-serversapi-security-audit

SKILL.md Content

View Translation Comparison →

Postman Agent Skill

Full API lifecycle management through the Postman MCP Server. Sync specs, generate code, run tests, create mocks, publish docs, and audit security.
Version: 2.0.1 Requires: Postman MCP Server

Prerequisites

This skill requires the Postman MCP Server to be configured. The MCP server exposes 111+ tools for interacting with Postman workspaces, collections, specs, environments, mocks, monitors, and more.
Setup check: Call 
getAuthenticatedUser
via MCP. If it succeeds, you're connected. If it fails, walk through Setup below.

Important: MCP Tool Behavior

Before using the workflows below, be aware of these behaviors:
  • getWorkspaces
    returns ALL workspaces.     For large organizations this can be 300KB+. If you already have a workspace ID, use 
    getWorkspace(workspaceId)
    directly instead.
  • getCollection
    default response is a lightweight map     with 
    itemRefs
    (folder/request tree). This is efficient for discovery. Only use 
    model=full
    when you need complete request/response bodies, and be aware it can exceed 300KB for large collections. Prefer targeted 
    getCollectionRequest
    and 
    getCollectionResponse
    calls for specific endpoints.
  • getTaggedEntities
    returns 404 for missing tags    , not an empty array. Handle this gracefully. Tag functionality may require an Enterprise plan.
  • runCollection
    returns aggregate results only     (total requests, passed, failed, duration). It does NOT return per-request detail or error messages. For debugging specific failures, examine individual requests with 
    getCollectionRequest
    and 
    getCollectionResponse
    after the run.
  • searchPostmanElements
    only searches the PUBLIC Postman network    , not private workspaces. Always search private workspace first with 
    getCollections
    .

Setup

If MCP tools are not available or 
getAuthenticatedUser
fails:
  1. Get a Postman API key:
  2. Set the environment variable:
    export POSTMAN_API_KEY=PMAK-your-key-here
    Add to 
    ~/.zshrc
    or 
    ~/.bashrc
    to persist.
  3. Verify: Call 
    getAuthenticatedUser
    . On success, call 
    getWorkspaces
    to list workspaces, then 
    getCollections
    with the workspace ID to count resources.
Present:
Connected as: <user name>

Your workspaces:
  - My Workspace (personal) - 12 collections, 3 specs
  - Team APIs (team) - 8 collections, 5 specs

You're all set.

Routing

When the user's request involves Postman or APIs, match their intent to the correct workflow below. Always prefer these structured workflows over raw MCP tool calls.
User IntentWorkflow
Import a spec, push spec to Postman, create collection from spec, sync, push changesSync Collections
Generate client code, SDK, wrapper, typed client, consume an APIGenerate Client Code
Find API, search endpoints, what's available, discover APIsDiscover APIs
Run tests, check if tests pass, validate API, test collectionRun Collection Tests
Create mock server, fake API, mock for frontend, mock URLCreate Mock Servers
Generate docs, improve documentation, publish docs, API docsAPI Documentation
Security audit, vulnerabilities, OWASP, security checkAPI Security Audit
Is my API agent-ready?, scan my API, analyze spec for AIUse the postman-api-readiness skill
Routing rules:
  1. Specific workflows take priority. If intent clearly maps to one, use it.
  2. Ambiguous requests: ask the user what they need.
  3. Multi-step requests chain workflows. "Import my spec and run tests" = Sync then Test.
  4. Only use 
    mcp__postman__*
    tools directly for single targeted updates or when the user explicitly asks.

Workflow: Sync Collections

Keep Postman collections in sync with API code. Create new collections from OpenAPI specs, update existing ones, or push endpoint changes.

Step 1: Understand What Changed

Detect or ask:
  • Is there a local OpenAPI spec? Search for 
    **/openapi.{json,yaml,yml}
    , 
    **/swagger.{json,yaml,yml}
  • Did the user add/remove/modify endpoints?
  • Is there an existing Postman collection to update, or do they need a new one?

Step 2: Resolve Workspace

If the user provides a workspace ID, call 
getWorkspace(workspaceId)
directly. Otherwise, call 
getCollections
with a workspace ID if known, or ask the user which workspace to use. Avoid calling 
getWorkspaces
(no filter) on large org accounts as it returns all workspaces (300KB+).

Step 3: Find or Create the Collection

Updating an existing collection:
  1. Call 
    getCollections
    with the 
    workspace
    parameter
  2. Match by name or ask which collection
  3. Call 
    getCollection
    to get current state
Creating from a spec:
  1. Read the local OpenAPI spec
  2. Call 
    createSpec
    with 
    workspaceId
    , 
    name
    , 
    type
    (one of 
    OPENAPI:2.0
    , 
    OPENAPI:3.0
    , 
    OPENAPI:3.1
    , 
    ASYNCAPI:2.0
    ), and 
    files
    (array of 
    {path, content}
    )
  3. Call 
    generateCollection
    from the spec. This is async (HTTP 202). Poll 
    getGeneratedCollectionSpecs
    or 
    getSpecCollections
    until complete.
  4. Call 
    createEnvironment
    with variables from the spec: 
    • base_url
      from 
      servers[0].url
    • Auth variables from 
      securitySchemes
      (mark as 
      secret
      )
    • Common path parameters

Step 4: Sync

Spec to Collection (most common):
  1. Call 
    createSpec
    or 
    updateSpecFile
    with local spec content
  2. Call 
    syncCollectionWithSpec
    to update the collection. Async (HTTP 202). Poll 
    getCollectionUpdatesTasks
    for completion.
  3. Note: 
    syncCollectionWithSpec
    only supports OpenAPI 3.0. For Swagger 2.0 or OpenAPI 3.1, use 
    updateSpecFile
    and regenerate via 
    generateCollection
    .
  4. Report what changed
Collection to Spec (reverse sync):
  1. Call 
    syncSpecWithCollection
    to update the spec from collection changes
  2. Write the updated spec back to the local file
Manual updates (no spec):
  1. createCollectionRequest
    to add new endpoints
  2. updateCollectionRequest
    to modify existing ones
  3. createCollectionFolder
    to organize by resource
  4. createCollectionResponse
    to add example responses

Step 5: Confirm

Collection synced: "Pet Store API" (15 requests)
  Added:    POST /pets/{id}/vaccinations
  Updated:  GET /pets - added 'breed' filter parameter
  Removed:  (none)

  Environment: "Pet Store - Development" updated
  Spec Hub: petstore-v3.1.0 pushed

Workflow: Generate Client Code

Generate typed client code from Postman collections. Reads private API definitions and writes production-ready code matching the project's conventions.

Step 1: Find the API

  1. If workspace ID is known, call 
    getWorkspace(workspaceId)
    to get the full inventory (collections, specs, environments) in one call. Otherwise ask the user which workspace.
  2. Call 
    getCollections
    with 
    workspace
    parameter. Use 
    name
    filter if specified.
  3. If no results in private workspace, fall back to 
    searchPostmanElements
    (public network only)
  4. Call 
    getCollection
    for the lightweight map (default, no 
    model
    param)
  5. Call 
    getSpecDefinition
    if a linked spec exists (richer type info)

Step 2: Understand the API Shape

For each relevant endpoint:
  1. Call 
    getCollectionFolder
    for resource grouping
  2. Call 
    getCollectionRequest
    for method, URL, headers, auth, body schema, parameters
  3. Call 
    getCollectionResponse
    for status codes, response shapes, error formats
  4. Call 
    getEnvironment
    for base URLs and variables
  5. Call 
    getCodeGenerationInstructions
    for Postman-specific codegen guidance

Step 3: Detect Project Language

If not specified, detect from the project:
  • package.json
    or 
    tsconfig.json
    -> TypeScript/JavaScript
  • requirements.txt
    or 
    pyproject.toml
    -> Python
  • go.mod
    -> Go
  • Cargo.toml
    -> Rust
  • pom.xml
    or 
    build.gradle
    -> Java
  • Gemfile
    -> Ruby

Step 3b: Check for Variable Mismatches

Compare collection variables with environment variables. Common issue: collection uses 
{{baseUrl}}
but environment defines 
base_url
(or vice versa). Flag any naming mismatches to the user before generating code, as these cause silent failures at runtime.

Step 4: Generate Code

Generate a typed client with:
  • Method per endpoint with proper parameters
  • Request/response types from collection schemas
  • Authentication handling from collection auth config
  • Error handling based on documented error responses
  • Environment-based configuration (base URL from env vars)
  • Pagination support if the API uses it
Code conventions:
  • Match the project's existing style (imports, formatting, naming)
  • Include JSDoc/docstrings from collection descriptions
  • Use the project's HTTP library if one exists (axios, fetch, requests, etc.)
  • Write to a sensible path (e.g., 
    src/clients/<api-name>.ts
    )

Step 5: Present

Generated: src/clients/users-api.ts

  Endpoints covered:
    GET    /users         -> getUsers(filters)
    POST   /users         -> createUser(data)
    GET    /users/{id}    -> getUser(id)
    PUT    /users/{id}    -> updateUser(id, data)
    DELETE /users/{id}    -> deleteUser(id)

  Types generated: User, CreateUserRequest, UpdateUserRequest, UserListResponse, ApiError
  Auth: Bearer token (from USERS_API_TOKEN env var)
  Base URL: from USERS_API_BASE_URL env var

Workflow: Discover APIs

Answer natural language questions about available APIs across Postman workspaces. Find endpoints, check response shapes, understand what's available.

Step 1: Search

  1. If workspace ID is known, call 
    getWorkspace(workspaceId)
    directly. Otherwise ask the user.
  2. Call 
    getCollections
    with 
    workspace
    parameter. Use 
    name
    filter to narrow.
  3. If sparse, broaden: 
    • searchPostmanElements
      as fallback (public network only, not private workspaces)
    • Note: 
      getTaggedEntities
      and 
      getCollectionTags
      may return 404/403 on non-Enterprise plans. Do not rely on these for discovery.

Step 2: Drill Into Results

For each relevant hit:
  1. getCollection
    for overview (default returns lightweight map with 
    itemRefs
    , not full payloads)
  2. Scan endpoint names from the map to identify relevant folders/requests
  3. getCollectionRequest
    for specific relevant endpoints (targeted, not bulk)
  4. getCollectionResponse
    for specific response data
  5. getSpecDefinition
    if linked spec exists

Step 3: Present

Found:
Yes, you can get a user's email via the API.

  Endpoint: GET /users/{id}
  Collection: "User Management API"
  Auth: Bearer token required

  Response includes:
    { "id": "usr_123", "email": "jane@example.com", "name": "Jane Smith" }

  Want me to generate a client for this API?
Not found: Show closest matches and explain why they don't match.
Multiple results: List collections with endpoint counts, ask which to explore.

Workflow: Run Collection Tests

Execute Postman collection tests, analyze results, diagnose failures, and suggest fixes.

Step 1: Find the Collection

  1. If workspace ID is known, call 
    getWorkspace(workspaceId)
    directly. Otherwise ask the user.
  2. Call 
    getCollections
    with 
    workspace
    parameter. Use 
    name
    filter if specified.

Step 2: Run Tests

Call 
runCollection
with the collection UID in 
OWNER_ID-UUID
format (from 
getCollection
response's 
uid
field).
If environment variables are needed:
  1. Call 
    getEnvironments
    to list available environments
  2. Ask which to use or detect from naming convention
  3. Pass the environment ID to 
    runCollection

Step 3: Parse Results

Note: 
runCollection
returns aggregate results only (total requests, passed/failed counts, duration). It does NOT include per-request detail. Present what's available:
Test Results: Pet Store API
  Requests:  15 executed
  Failed:    3
  Assertions: 24 total, 21 passed
  Duration:  12.4s
If tests failed and per-request detail is needed, examine the collection's test scripts and request definitions with 
getCollectionRequest
to help diagnose. The user may also need to check the Postman app or a monitor run for detailed failure logs.

Step 4: Diagnose Failures

For each failure:
  1. getCollectionRequest
    for full request definition
  2. getCollectionResponse
    for expected responses
  3. Check if API source code is in the current project
  4. Explain expected vs actual
  5. If code is local, find the handler and suggest the fix

Step 5: Fix and Re-run

After fixing: offer to re-run and show before/after comparison.

Step 6: Update Collection (if needed)

If the tests themselves need updating:
  • updateCollectionRequest
    to fix request bodies, headers, or test scripts
  • updateCollectionResponse
    to update expected responses

Workflow: Create Mock Servers

Spin up a Postman mock server from a collection or spec. Get a working mock URL for frontend development, integration testing, or demos.

Step 1: Find the Source

If workspace ID is known, call 
getWorkspace(workspaceId)
directly. Otherwise ask the user.
From existing collection: 
getCollections
with workspace ID -> select target collection
From local spec: Import first:
  1. createSpec
    with workspace, name, type, files
  2. generateCollection
    . Async (HTTP 202). Poll 
    getGeneratedCollectionSpecs
    or 
    getSpecCollections
    for completion.

Step 2: Check for Examples

Mock servers serve example responses. Call 
getCollection
and check if requests have saved responses.
If missing, generate realistic examples:
  1. getCollectionRequest
    for each request's schema
  2. Generate realistic example response from the schema
  3. createCollectionResponse
    to save the example

Step 3: Check for Existing Mocks

Call 
getMocks
to check if one already exists for this collection. If found, present its URL. Only create new if none exists or explicitly requested.

Step 4: Create Mock Server

Call 
createMock
with:
  • Workspace ID
  • Collection UID in 
    ownerId-collectionId
    format (from 
    getCollection
    response's 
    uid
    field)
  • Environment ID (if applicable)
  • Name: 
    <api-name> Mock
  • Private: false (or true if preferred)

Step 5: Present

Mock server created: "Pet Store API Mock"
  URL: https://<mock-id>.mock.pstmn.io
  Status: Active

  Try it:
    curl https://<mock-id>.mock.pstmn.io/pets
    curl https://<mock-id>.mock.pstmn.io/pets/1
    curl -X POST https://<mock-id>.mock.pstmn.io/pets -d '{"name":"Buddy"}'

  The mock serves example responses from your collection.
  Update examples in Postman to change mock behavior.

Step 6: Integration

Quick integration:
  # Add to your project .env
  API_BASE_URL=https://<mock-id>.mock.pstmn.io

  # Or in your frontend config
  const API_URL = process.env.API_BASE_URL || 'https://<mock-id>.mock.pstmn.io';

Step 7: Publish (optional)

If the user wants public access:
  • publishMock
    for unauthenticated access (demos, hackathons, public docs)
  • unpublishMock
    to make private again

Workflow: API Documentation

Analyze, improve, and publish API documentation from OpenAPI specs and Postman collections.

Step 1: Find the Source

Check for API definitions in order:
Local specs: Search for 
**/openapi.{json,yaml,yml}
, 
**/swagger.{json,yaml,yml}
Postman specs: 
getAllSpecs
with workspace ID, then 
getSpecDefinition
for full spec
Postman collections: 
getCollections
then 
getCollection
for full detail

Step 2: Analyze Completeness

Documentation Coverage: 60%
  Endpoints with descriptions:     8/15
  Parameters with descriptions:    22/45
  Endpoints with examples:         3/15
  Error responses documented:      2/15
  Authentication documented:       Yes
  Rate limits documented:          No

Step 3: Generate or Improve

Sparse spec: Generate documentation for each endpoint (summaries, parameter tables, request/response schemas, examples, error docs, auth requirements).
Partial spec: Fill gaps (add missing descriptions inferred from naming/schemas, generate realistic examples, add error responses, document auth and rate limits).

Step 4: Apply Changes

Ask the user which output:
  1. Update the spec file - Write improved docs back into OpenAPI spec
  2. Update in Postman - 
    updateCollectionRequest
    to add descriptions and examples
  3. Publish public docs - 
    publishDocumentation
    with collection ID, returns public URL. 
    unpublishDocumentation
    to take down.
  4. Generate markdown - Create 
    docs/api-reference.md
    for the project

Step 5: Sync

If both spec and collection exist, keep in sync:
  • syncCollectionWithSpec
    to update collection from spec (async, OpenAPI 3.0 only)
  • syncSpecWithCollection
    to update spec from collection changes

Workflow: API Security Audit

Audit APIs for security issues against OWASP API Security Top 10. Works with local OpenAPI specs and Postman collections.

Step 1: Find the Source

Local spec: Search for OpenAPI/Swagger files in the project
Postman spec: 
getAllSpecs
then 
getSpecDefinition
Postman collection: 
getCollections
then 
getCollection
including auth config. Also 
getEnvironment
to check for exposed secrets.

Step 2: Run Security Checks

Authentication and Authorization:
  • Security schemes defined (OAuth2, API Key, Bearer, etc.)
  • Security applied globally or per-endpoint
  • No accidentally unprotected endpoints
  • OAuth2 scopes defined and appropriate
  • Admin endpoints have elevated auth
Transport Security:
  • All server URLs use HTTPS
  • No mixed HTTP/HTTPS
Sensitive Data Exposure:
  • No API keys, tokens, or passwords in example values
  • No secrets in query parameters (should be headers/body)
  • Password fields marked as 
    format: password
  • PII fields identified
  • Postman environment variables checked for leaked secrets (via 
    getEnvironment
    )
Input Validation:
  • All parameters have defined types
  • String parameters have 
    maxLength
  • Numeric parameters have 
    minimum
    /
    maximum
  • Array parameters have 
    maxItems
  • Enum values used where applicable
  • Request body has required field validation
Rate Limiting:
  • Rate limits documented
  • Rate limit headers defined (X-RateLimit-Limit, X-RateLimit-Remaining)
  • 429 response defined
Error Handling:
  • Error responses don't leak stack traces
  • Error schemas don't expose internal field names
  • 401 and 403 responses properly defined
OWASP API Top 10:
  • API1: Broken Object Level Authorization
  • API2: Broken Authentication
  • API3: Broken Object Property Level Authorization
  • API4: Unrestricted Resource Consumption
  • API5: Broken Function Level Authorization
  • API6: Unrestricted Access to Sensitive Business Flows
  • API7: Server Side Request Forgery
  • API8: Security Misconfiguration
  • API9: Improper Inventory Management
  • API10: Unsafe Consumption of APIs

Step 3: Present Results

API Security Audit: pet-store-api.yaml

  CRITICAL (2):
    SEC-001: 3 endpoints have no security scheme applied
      - GET /admin/users
      - DELETE /admin/users/{id}
      - PUT /admin/config
    SEC-002: Server URL uses HTTP (http://api.example.com)

  HIGH (3):
    SEC-003: No rate limiting documentation or 429 response
    SEC-004: API key sent as query parameter (use header instead)
    SEC-005: No maxLength on 8 string inputs (injection risk)

  MEDIUM (2):
    SEC-006: Password field visible in GET /users/{id} response
    SEC-007: Environment variable 'db_password' not marked secret

  Score: 48/100 - Significant Issues

Step 4: Fix

For each finding:
  1. Explain the security risk in plain terms
  2. Show the exact spec change needed
  3. Apply the fix with user approval
For Postman-specific issues:
  • putEnvironment
    to mark secrets properly
  • updateCollectionRequest
    to fix auth configuration
  • updateCollectionResponse
    to remove sensitive data from examples

Step 5: Re-audit

After fixes, re-run to show improvement.

Error Handling

These patterns apply across all workflows:
ErrorResponse
MCP tools not available"The Postman MCP Server isn't configured. Set your POSTMAN_API_KEY environment variable and restart your editor."
401 Unauthorized"Your Postman API key was rejected. Generate a new one at https://postman.postman.co/settings/me/api-keys"
Network timeoutRetry once. Check https://status.postman.com for outages.
Async operation stuckIf polling shows no progress after 30 seconds, inform user and suggest checking Postman app directly.
Collection not found"No collection matching that name. Try discovering APIs across your workspace."
Empty collection"This collection has no requests. Add endpoints in Postman or sync from a local spec."
Invalid specReport specific parse errors with line numbers. Offer to fix common YAML/JSON syntax issues.
Plan limitations"Some features may require a paid Postman plan. Core operations work on all plans."

MCP Tool Reference

See 
references/mcp-tools.md
for the complete tool catalog and 
references/mcp-limitations.md
for known limitations and workarounds.