How to Blur Postman During Screen Sharing (Hide API Keys, Tokens & Secrets)
Demoing an API in Postman on a call? Here's how to hide Authorization headers, Bearer tokens, environment secrets, API keys in params and customer PII in Postman for the web before you share your screen — and why Scan is a great first pass.
To hide API keys, tokens and secrets in Postman on the web during a screen share, run Scan for a one-click sweep of the token and key patterns, then blur anything else by hand before you present — the Authorization header and Bearer tokens, environment variables, keys in query params, and response bodies with customer data. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and any recorder.
One important caveat: this works on Postman for the web at `go.postman.co`, which runs inside your browser tab, so BlurFirst applies. The desktop app is a native application, not a web page, so a browser extension can't reach it — use the web app when you need to present safely. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H ready.
What Postman puts on screen that shouldn't be shared
- Authorization headers and Bearer tokens — the Authorization tab and the Headers tab show values like
Bearer eyJhbGciOi…orBasic …in full. - Environment variables holding secrets — the CURRENT VALUE column under Environments exposes tokens and keys; the eye toggle reveals masked ones.
- API keys in params — keys passed as query params (
?api_key=…) or in the Params tab, visible right in the URL. - Request and response bodies with PII — customer names, emails and card numbers in a JSON body after you hit Send.
- Base URLs of private services — internal hostnames in the address field and in collection variables that reveal your infrastructure.
- Saved credentials in the collection — collection- or folder-level Authorization,
{{token}}variables, and secrets hard-coded in pre-request scripts.
Blur Postman on the web before a demo
- 1
Open Postman at go.postman.co
Use the web app, not the desktop app — an in-browser extension can only reach the browser tab. Open the request or collection you'll present.
- 2
Run Scan to catch tokens, keys and PII
One click runs Scan (Pro), which detects API keys, tokens, email addresses, phone numbers and card numbers locally and blurs them — a strong first pass for Bearer tokens, environment values and a response body full of customer data.
- 3
Element-blur the Authorization and Headers values
Click the value in the Authorization tab and the token in the Headers value column to frost just those; the header names stay readable so the demo still makes sense.
- 4
Box-blur the environment column and the URL
Drag a box over the CURRENT VALUE column in the environment editor and over the address field if it carries a key or a private hostname. Anchored boxes keep covering them as you switch requests.
- 5
Send carefully, and keep panic ready
The response body only renders after you press Send. Blur or box the response pane first if it returns PII, and if a secret appears unexpectedly press Ctrl/⌘ ⇧ H to blur the whole tab instantly.
| Sensitive item | Where it appears | Best gesture |
|---|---|---|
| Bearer token / Authorization | Authorization + Headers tabs | Element blur, or Scan |
| Environment secret values | Environments → CURRENT VALUE | Box-blur the column, or Scan |
| API key in params | Params tab / address field | Element blur, or Scan |
| PII in response body | Response pane after Send | Box-blur the pane, or Scan |
| Private base URL | Address field, collection vars | Element or box blur |
Postman on the web vs the desktop app
BlurFirst is a browser extension, so it can blur content in any browser tab — including Postman at go.postman.co. It cannot reach the Postman desktop app, which is a native program running outside the browser, nor any other native window; a desktop app for that is in development. If you routinely present Postman, do it from the web app so your tokens and bodies can be blurred in the shared feed.
Why Postman's own value-masking isn't enough
Postman can mark a variable as a secret type to mask its current value, which helps — but the mask is one click from being revealed, an initial value can still be visible, and a teammate's synced environment may not be masked at all. Masking also does nothing for a token pasted into a header, a key in the URL, or PII in a response body. Blurring covers all of those at the presentation layer, so what's on the call is hidden no matter how the value got there.
Reuse your Postman blurs across sessions
If you demo the same collection repeatedly, set the boxes once and let BlurFirst Pro's per-site auto-apply bring them back each time you open go.postman.co. Your box over the environment value column and the response pane re-applies automatically and survives Postman's dynamic re-rendering. The profile stores a CSS selector for each region, never the token or body inside it — and because everything runs locally, no secret is ever written to disk or uploaded.