Public Postman workspaces expose far more than leaked strings — they reveal full API architecture, authentication flows, and live credentials. This guide covers a three-phase methodology for finding exposed APIs: building targeted search queries around identity provider and cloud infrastructure endpoints (Microsoft Entra ID, Okta, Salesforce, Auth0, AWS STS), attributing anonymous workspaces to organizations, and validating whether findings are operationally active. Five real-world examples demonstrate how queries like `login.microsoftonline.com` or `oktapreview.com` surface working client secrets, refresh tokens, and admin API credentials. An analytical framework explains how to read workspace structure, environments, pre-request scripts, and saved example responses to reconstruct an attacker's full operational picture from a single public URL.
Table of contents
Why Postman Search WorksHow to Approach the SearchCategory 1: Identity ProvidersGet Dzianis Skliar ’s stories in your inboxCategory 2: Cloud InfrastructureHow to Analyse What You FindCase Study: Vendor ExposureCase Study: Municipal AgencyClosingSort: