Hi, when I use Insomnia or Postman to test my API, I notice that the bearer token appears. Is this normal, or should it be secured in some way? Does it not appear at all in production?
below is a copy of the console tap in insomnia
* Preparing request to http://ticket-please.local/api/v1/users/1
* Current time is 2025-12-01T16:01:22.190Z
* Enable automatic URL encoding
* Using default HTTP version
* Enable timeout of 30000ms
* Enable SSL validation
* Connection 20 seems to be dead
* Closing connection 20
* Hostname in DNS cache was stale, zapped
* Trying 127.0.0.1:80...
* Connected to ticket-please.local (127.0.0.1) port 80 (#21)
> GET /api/v1/users/1 HTTP/1.1
> Host: ticket-please.local
> Accept: application/json
> User-Agent: insomnia/12.1.0
> Authorization: Bearer 3|cQp03eNa6zg4ZrzcgTawqXee1TCNPXcCpkJBpD1abae301ae
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Date: Mon, 01 Dec 2025 16:01:22 GMT
< Server: Apache/2.4.58 (Ubuntu)
< Vary: Authorization
< Cache-Control: no-cache, private
< Access-Control-Allow-Origin: *
< Transfer-Encoding: chunked
< Content-Type: application/json
* Received 312 B chunk
* Received 5 B chunk
* Connection #21 to host ticket-please.local left intact
Yes, it is completely normal for the bearer token to be visible in API testing tools like Insomnia and Postman.
Explanation:
The Authorization: Bearer ... header is sent with every API request that requires authentication.
Tools like Insomnia and Postman display the full outgoing HTTP request (including headers) so you can debug and verify what is sent to the API.
This visibility is only in your local environment, visible to YOU and anyone with access to your computer/workspace/tool.
In Production:
The bearer token is still sent in the HTTP Authorization header in production. That’s how the server authenticates requests.
However, end users and third parties DO NOT see this token in browser dev tools, network logs, etc. unless you, as the developer, log or expose it.
Only client-side applications and API consumers (like your testing tools, or frontend apps that manage tokens) will handle the token.
Security Tips:
Never share bearer tokens publicly (e.g., screenshots, code repos).
Secure your environment and API testing tools to prevent token leakage.
Regularly rotate/revoke tokens if you suspect they have been exposed.
Summary:
The bearer token showing in Postman/Insomnia is for YOUR visibility and debugging; it is expected behavior and not a security risk unless you share it. In actual production use, your API expects the header, but it won’t be visible to end-users.
Example of the normal request header:
Authorization: Bearer {your-access-token}
As long as you keep your tokens private, you’re following best practices!
If you're using HTTPS in production, which you always should be, the request will be fully encrypted and unreadable to outsiders. Only the IP address and port will be in cleartext.
Postman and Insomnia are development tools and won't be used in production. I'm not sure what you mean by that part.
I don't understand what you mean by the Bearer token "appearing" in production.
Bearer token is a request header, meaning it's sent from the client to the server. Postman is a HTTP test client. It's not related to your production environment in any way.
It is normal. In real life nobody will see your token as it is transferred encrypted with all other HTTPS traffic. This is why you should always use HTTPS in public Internet.
This is not completely right. Bearer token is transferred the same way both in HTTP and HTTPS. The difference is HTTPS traffic is encrypted so everything transferred inside (including token) is encrypted and not seen to anyone except server and client.
HTTP traffic is not encrypted and your token can be seen by anyone in the middle who sees this traffic. For example, your ISP or hoster's staff.
In short, use HTTPS with proper certificates and you're good, your tokens are safe.
I think you need to explain what you mean by "appear".
The token header doesn't appear from thin air. It also does not come from the server. It's set by the client. This is the same in HTTP and HTTPS. The latter just encrypts it in transit, along with everything else.
Okay, I’ll explain my issue. As you can see in the code I shared earlier, the Bearer token in the request header (Authorization: Bearer 3|cQp03eNa6zg4ZrzcgTawqXee1TCNPXcCpkJBpD1abae301ae) is not hidden when using Insomnia. This makes me wonder — if a developer or I send an AJAX request to fetch data from the server, will this token also appear in the request and response sections of the browser’s Network tab?
Yes. Any data sent to or from the browser, or stored by the browser, can be read by the user. This includes network requests and their responses, cookies, local storage, JS variables, etc.
The token being readable isn't a significant additional risk, given everything else. If a villain has access to your browser while you're at lunch, they can copy your session cookie and take it to their computer, giving them access to your account. The moral of the story is: don't leave your workstation unlocked.
