How to get Postman to retrieve token with JwtAuthProvider?

I’m able to get a token using the following client side code:

var centralAuthBaseUrl = "http://localhost:1337/";
var authClient = new JsonServiceClient(centralAuthBaseUrl);
var authResponse = authClient.Post(new Authenticate
    provider = "credentials",
    UserName = "username",
    Password = "password",
    RememberMe = true,             

I can then grab the authResponse.BearerToken and paste that into the Bearer Token auth type in Postman and it works.

However, I can’t figure out how to use Postman to retrieve a new Bearer Token. Everything I try fails.

My auth provider setup is a follows:

Plugins.Add(new AuthFeature(() => new AuthUserSession(),
    new IAuthProvider[] {
        new JwtAuthProvider(AppSettings) {
            AuthKey = AesUtils.CreateKey(),
            AllowInQueryString = true,
            AllowInFormData = true,
            RequireSecureConnection = false,
        new CredentialsAuthProvider(AppSettings),
        //new BasicAuthProvider(),

What am I missing?

You should be able to

  • send a POST request to your app’s auth endpoint
    (http://localhost:1337/auth) with the username/password/provider as
    the payload, or
  • send a POST request to your app’s credentials auth endpoint (http://localhost:1337/auth/credentials) with the username/password as the payload.

Basically you are duplicating the request the JsonServiceClient sends.

You can also click on POST Authenticate after importing /postman collection and populate the request in the Body tab, e.g:

For faster editing you can click on Bulk Edit and enter key/value pairs:


Great, thanks to both of you! All three methods worked!

I think I was confused by all the available options.

So, I can see the difference between /auth and /auth/credentials in that you’re just specifying the provider within the URL. But what’s the difference between /auth and /authenticate?

Nothing, they’re just aliases for each other.

So now I’m confused. After doing this now when I call the /hello service which is decorated with [Authenticate] it returns 200 without providing any credentials. Before I called /auth or /authenticate, I’d get a 403. I can’t see anywhere I’m providing credentials in Postman, even started a new session. Does Postman somehow remember the credentials when calling /auth or /authenticate and apply that to any call to that url? If so, how to “reset” this for testing?

If it works after authentication it’s using cookies, you can manage cookies with:

Otherwise you can call /auth/logout to clear the current session or just restart the Postman App.

Brilliant! Works like a charm! Thanks