Questions on handling authenticated APIs with Postman collection add-on in OWASP ZAP

[Ritik Jain]

Hi ZAP Team,

I’m currently exploring the Postman Collection add-on in OWASP ZAP to scan authenticated APIs and had a few questions/observations. It would be helpful to understand the intended behavior and recommended approach.

Context
The application uses token-based authentication via the Authorization header (Bearer token). The token is obtained from a login API and expires in ~30 minutes.

---

1. Token refresh / session handling
Since the token expires periodically:

• How does ZAP handle token refresh in such cases where the site tree is derived from requests made from parsing postman collections? 

• Is there a recommended way to automatically regenerate and inject a fresh token during Importing a postman collection like it is there for context based scans (via scripts, authentication methods, or session management)?

---

2. Execution of Postman collection scripts (pre-request / test events)
From my observation:

• ZAP does not execute Postman collection scripts (such as pre-request or test scripts) since, it donot have postman execution engine. ZAP Import Flow is that it parses the collection JSON and zap makes requests with body/method/headers. And builds site tree.

• But in collections, where a login request returns a token in the response and assigns it to a collection variable (e.g., auth_token), which is then reused in subsequent requests. There the Authorization header will be empty always because the postman script did not ran.

Questions:

• Is it correct that ZAP ignores these scripts during import/execution?

• If yes, what is the recommended way to support for this type of collections in ZAP?
  (e.g., extracting tokens from responses and reusing them across requests)

---

3. Handling of the auth object in Postman collections
Another observation:

• ZAP does not seem to parse auth object of request in collection and send the Authorization header defined in the simulated request (e.g., Bearer token configuration).

Questions:

• Is this observation expected?

• If yes, what is the suggested way to ensure the Authorization header is correctly applied to authenticated API requests? It should be supported in parsing according to a user

---

Reference Collection
I’ve been using the VAmPI Postman collection as a reference:

• https://github.com/erev0s/VAmPI/blob/master/openapi_specs/VAmPI.postman_collection.json

• https://github.com/erev0s/VAmPI

---

I would appreciate guidance on the resolution of the queries/best practices for handling authenticated API scans in such scenarios using ZAP.

Thanks in advance for your help!

Best regards,
Ritik Jain