Skip to content
BlurFirst

How to Blur Postman During Screen Sharing (Hide API Keys, Tokens & Secrets)

7 min read

Demoing an API in Postman on a call? Here's how to hide Authorization headers, Bearer tokens, environment secrets, API keys in params and customer PII in Postman for the web before you share your screen — and why Scan is a great first pass.

To hide API keys, tokens and secrets in Postman on the web during a screen share, run Scan for a one-click sweep of the token and key patterns, then blur anything else by hand before you present — the Authorization header and Bearer tokens, environment variables, keys in query params, and response bodies with customer data. BlurFirst paints each blur into the page as real pixels, so it survives Zoom, Google Meet, Microsoft Teams, Loom, OBS and any recorder.

One important caveat: this works on Postman for the web at `go.postman.co`, which runs inside your browser tab, so BlurFirst applies. The desktop app is a native application, not a web page, so a browser extension can't reach it — use the web app when you need to present safely. Start blurring with Ctrl/⌘ ⇧ Y and keep the panic hotkey Ctrl/⌘ ⇧ H ready.

What Postman puts on screen that shouldn't be shared

  • Authorization headers and Bearer tokens — the Authorization tab and the Headers tab show values like Bearer eyJhbGciOi… or Basic … in full.
  • Environment variables holding secrets — the CURRENT VALUE column under Environments exposes tokens and keys; the eye toggle reveals masked ones.
  • API keys in params — keys passed as query params (?api_key=…) or in the Params tab, visible right in the URL.
  • Request and response bodies with PII — customer names, emails and card numbers in a JSON body after you hit Send.
  • Base URLs of private services — internal hostnames in the address field and in collection variables that reveal your infrastructure.
  • Saved credentials in the collection — collection- or folder-level Authorization, {{token}} variables, and secrets hard-coded in pre-request scripts.

Blur Postman on the web before a demo

  1. 1

    Open Postman at go.postman.co

    Use the web app, not the desktop app — an in-browser extension can only reach the browser tab. Open the request or collection you'll present.

  2. 2

    Run Scan to catch tokens, keys and PII

    One click runs Scan (Pro), which detects API keys, tokens, email addresses, phone numbers and card numbers locally and blurs them — a strong first pass for Bearer tokens, environment values and a response body full of customer data.

  3. 3

    Element-blur the Authorization and Headers values

    Click the value in the Authorization tab and the token in the Headers value column to frost just those; the header names stay readable so the demo still makes sense.

  4. 4

    Box-blur the environment column and the URL

    Drag a box over the CURRENT VALUE column in the environment editor and over the address field if it carries a key or a private hostname. Anchored boxes keep covering them as you switch requests.

  5. 5

    Send carefully, and keep panic ready

    The response body only renders after you press Send. Blur or box the response pane first if it returns PII, and if a secret appears unexpectedly press Ctrl/⌘ ⇧ H to blur the whole tab instantly.

Sensitive itemWhere it appearsBest gesture
Bearer token / AuthorizationAuthorization + Headers tabsElement blur, or Scan
Environment secret valuesEnvironments → CURRENT VALUEBox-blur the column, or Scan
API key in paramsParams tab / address fieldElement blur, or Scan
PII in response bodyResponse pane after SendBox-blur the pane, or Scan
Private base URLAddress field, collection varsElement or box blur
What to hide in Postman on the web, and how.

Postman on the web vs the desktop app

BlurFirst is a browser extension, so it can blur content in any browser tab — including Postman at go.postman.co. It cannot reach the Postman desktop app, which is a native program running outside the browser, nor any other native window; a desktop app for that is in development. If you routinely present Postman, do it from the web app so your tokens and bodies can be blurred in the shared feed.

Why Postman's own value-masking isn't enough

Postman can mark a variable as a secret type to mask its current value, which helps — but the mask is one click from being revealed, an initial value can still be visible, and a teammate's synced environment may not be masked at all. Masking also does nothing for a token pasted into a header, a key in the URL, or PII in a response body. Blurring covers all of those at the presentation layer, so what's on the call is hidden no matter how the value got there.

Reuse your Postman blurs across sessions

If you demo the same collection repeatedly, set the boxes once and let BlurFirst Pro's per-site auto-apply bring them back each time you open go.postman.co. Your box over the environment value column and the response pane re-applies automatically and survives Postman's dynamic re-rendering. The profile stores a CSS selector for each region, never the token or body inside it — and because everything runs locally, no secret is ever written to disk or uploaded.

Frequently asked questions

Does BlurFirst work in the Postman desktop app?

No. BlurFirst is a browser extension, so it only works on Postman for the web at go.postman.co. The desktop app is a native program a browser extension can't reach — use the web app when you need to present with secrets blurred.

Can Scan find Bearer tokens and API keys in Postman?

Yes. Scan detects API-key and token patterns, plus emails, phone numbers and card numbers, locally in one click, so it catches most tokens in headers and environment values and PII in a response body. Review the page afterwards and blur anything structural it didn't flag.

Can I hide just the token and keep the header name visible?

Yes. Element-blur the value in the Authorization or Headers tab so the header name stays readable and your walkthrough still makes sense. Click the blurred value again to reveal it.

Will a blur cover a response body that loads after I hit Send?

Box-blur the response pane before you send, since it's anchored to that screen area and covers whatever renders underneath. If something sensitive appears anyway, the panic hotkey blurs the whole tab instantly.

Does anything I blur or scan leave my browser?

No. BlurFirst runs entirely in the browser and its only network request is a license check. Scan runs locally, so your tokens, environments and response bodies never leave the page.

Blur it before you share it.

Hide any field, region or message on a page before your next call. Nothing you blur leaves your browser.

Add to Chrome