Postman Agent Skill

Full API lifecycle management through the Postman MCP Server. Sync specs, generate code, run tests, create mocks, publish docs, and audit security.

Version: 2.0.1 Requires: Postman MCP Server

Prerequisites

This skill requires the Postman MCP Server to be configured. The MCP server exposes 111+ tools for interacting with Postman workspaces, collections, specs, environments, mocks, monitors, and more.

Setup check: Call getAuthenticatedUser via MCP. If it succeeds, you're connected. If it fails, walk through Setup below.

Important: MCP Tool Behavior

Before using the workflows below, be aware of these behaviors:

• getWorkspaces returns ALL workspaces. For large organizations this can be 300KB+. If you already have a workspace ID, use getWorkspace(workspaceId) directly instead.
• getCollection default response is a lightweight map with itemRefs (folder/request tree). This is efficient for discovery. Only use model=full when you need complete request/response bodies, and be aware it can exceed 300KB for large collections. Prefer targeted getCollectionRequest and getCollectionResponse calls for specific endpoints.
• getTaggedEntities returns 404 for missing tags, not an empty array. Handle this gracefully. Tag functionality may require an Enterprise plan.
• runCollection returns aggregate results only (total requests, passed, failed, duration). It does NOT return per-request detail or error messages. For debugging specific failures, examine individual requests with getCollectionRequest and getCollectionResponse after the run.
• searchPostmanElements only searches the PUBLIC Postman network, not private workspaces. Always search private workspace first with getCollections.

Setup

If MCP tools are not available or getAuthenticatedUser fails:

1. Get a Postman API key:

   • Go to https://postman.postman.co/settings/me/api-keys
   • Click "Generate API Key", name it "Claude Code"
   • Copy the key (starts with PMAK-)

2. Set the environment variable:

   export POSTMAN_API_KEY=PMAK-your-key-here
   

   Add to ~/.zshrc or ~/.bashrc to persist.

3. Verify: Call getAuthenticatedUser. On success, call getWorkspaces to list workspaces, then getCollections with the workspace ID to count resources.

Present:

Connected as: <user name>

Your workspaces:
  - My Workspace (personal) - 12 collections, 3 specs
  - Team APIs (team) - 8 collections, 5 specs

You're all set.

Routing

When the user's request involves Postman or APIs, match their intent to the correct workflow below. Always prefer these structured workflows over raw MCP tool calls.

User Intent	Workflow
Import a spec, push spec to Postman, create collection from spec, sync, push changes	Sync Collections
Generate client code, SDK, wrapper, typed client, consume an API	Generate Client Code
Find API, search endpoints, what's available, discover APIs	Discover APIs
Run tests, check if tests pass, validate API, test collection	Run Collection Tests
Create mock server, fake API, mock for frontend, mock URL	Create Mock Servers
Generate docs, improve documentation, publish docs, API docs	API Documentation
Security audit, vulnerabilities, OWASP, security check	API Security Audit
Is my API agent-ready?, scan my API, analyze spec for AI	Use the postman-api-readiness skill

Routing rules:

1. Specific workflows take priority. If intent clearly maps to one, use it.
2. Ambiguous requests: ask the user what they need.
3. Multi-step requests chain workflows. "Import my spec and run tests" = Sync then Test.
4. Only use mcp__postman__* tools directly for single targeted updates or when the user explicitly asks.

---

Workflow: Sync Collections

Keep Postman collections in sync with API code. Create new collections from OpenAPI specs, update existing ones, or push endpoint changes.

Step 1: Understand What Changed

Detect or ask:

• Is there a local OpenAPI spec? Search for **/openapi.{json,yaml,yml}, **/swagger.{json,yaml,yml}
• Did the user add/remove/modify endpoints?
• Is there an existing Postman collection to update, or do they need a new one?

Step 2: Resolve Workspace

If the user provides a workspace ID, call getWorkspace(workspaceId) directly. Otherwise, call getCollections with a workspace ID if known, or ask the user which workspace to use. Avoid calling getWorkspaces (no filter) on large org accounts as it returns all workspaces (300KB+).

Step 3: Find or Create the Collection

Updating an existing collection:

1. Call getCollections with the workspace parameter
2. Match by name or ask which collection
3. Call getCollection to get current state

Creating from a spec:

1. Read the local OpenAPI spec
2. Call createSpec with workspaceId, name, type (one of OPENAPI:2.0, OPENAPI:3.0, OPENAPI:3.1, ASYNCAPI:2.0), and files (array of {path, content})
3. Call generateCollection from the spec. This is async (HTTP 202). Poll getGeneratedCollectionSpecs or getSpecCollections until complete.
4. Call createEnvironment with variables from the spec:
   • base_url from servers[0].url
   • Auth variables from securitySchemes (mark as secret)
   • Common path parameters

Step 4: Sync

Spec to Collection (most common):

1. Call createSpec or updateSpecFile with local spec content
2. Call syncCollectionWithSpec to update the collection. Async (HTTP 202). Poll getCollectionUpdatesTasks for completion.
3. Note: syncCollectionWithSpec only supports OpenAPI 3.0. For Swagger 2.0 or OpenAPI 3.1, use updateSpecFile and regenerate via generateCollection.
4. Report what changed

Collection to Spec (reverse sync):

1. Call syncSpecWithCollection to update the spec from collection changes
2. Write the updated spec back to the local file

Manual updates (no spec):

1. createCollectionRequest to add new endpoints
2. updateCollectionRequest to modify existing ones
3. createCollectionFolder to organize by resource
4. createCollectionResponse to add example responses

Step 5: Confirm

Collection synced: "Pet Store API" (15 requests)
  Added:    POST /pets/{id}/vaccinations
  Updated:  GET /pets - added 'breed' filter parameter
  Removed:  (none)

  Environment: "Pet Store - Development" updated
  Spec Hub: petstore-v3.1.0 pushed

---

Workflow: Generate Client Code

Generate typed client code from Postman collections. Reads private API definitions and writes production-ready code matching the project's conventions.

Step 1: Find the API

1. If workspace ID is known, call getWorkspace(workspaceId) to get the full inventory (collections, specs, environments) in one call. Otherwise ask the user which workspace.
2. Call getCollections with workspace parameter. Use name filter if specified.
3. If no results in private workspace, fall back to searchPostmanElements (public network only)
4. Call getCollection for the lightweight map (default, no model param)
5. Call getSpecDefinition if a linked spec exists (richer type info)

Step 2: Understand the API Shape

For each relevant endpoint:

1. Call getCollectionFolder for resource grouping
2. Call getCollectionRequest for method, URL, headers, auth, body schema, parameters
3. Call getCollectionResponse for status codes, response shapes, error formats
4. Call getEnvironment for base URLs and variables
5. Call getCodeGenerationInstructions for Postman-specific codegen guidance

Step 3: Detect Project Language

If not specified, detect from the project:

• package.json or tsconfig.json -> TypeScript/JavaScript
• requirements.txt or pyproject.toml -> Python
• go.mod -> Go
• Cargo.toml -> Rust
• pom.xml or build.gradle -> Java
• Gemfile -> Ruby

Step 3b: Check for Variable Mismatches

Compare collection variables with environment variables. Common issue: collection uses {{baseUrl}} but environment defines base_url (or vice versa). Flag any naming mismatches to the user before generating code, as these cause silent failures at runtime.

Step 4: Generate Code

Generate a typed client with:

• Method per endpoint with proper parameters
• Request/response types from collection schemas
• Authentication handling from collection auth config
• Error handling based on documented error responses
• Environment-based configuration (base URL from env vars)
• Pagination support if the API uses it

Code conventions:

• Match the project's existing style (imports, formatting, naming)
• Include JSDoc/docstrings from collection descriptions
• Use the project's HTTP library if one exists (axios, fetch, requests, etc.)
• Write to a sensible path (e.g., src/clients/<api-name>.ts)

Step 5: Present

Generated: src/clients/users-api.ts

  Endpoints covered:
    GET    /users         -> getUsers(filters)
    POST   /users         -> createUser(data)
    GET    /users/{id}    -> getUser(id)
    PUT    /users/{id}    -> updateUser(id, data)
    DELETE /users/{id}    -> deleteUser(id)

  Types generated: User, CreateUserRequest, UpdateUserRequest, UserListResponse, ApiError
  Auth: Bearer token (from USERS_API_TOKEN env var)
  Base URL: from USERS_API_BASE_URL env var

---

Workflow: Discover APIs

Answer natural language questions about available APIs across Postman workspaces. Find endpoints, check response shapes, understand what's available.

Step 1: Search

1. If workspace ID is known, call getWorkspace(workspaceId) directly. Otherwise ask the user.
2. Call getCollections with workspace parameter. Use name filter to narrow.
3. If sparse, broaden:
   • searchPostmanElements as fallback (public network only, not private workspaces)
   • Note: getTaggedEntities and getCollectionTags may return 404/403 on non-Enterprise plans. Do not rely on these for discovery.

Step 2: Drill Into Results

For each relevant hit:

1. getCollection for overview (default returns lightweight map with itemRefs, not full payloads)
2. Scan endpoint names from the map to identify relevant folders/requests
3. getCollectionRequest for specific relevant endpoints (targeted, not bulk)
4. getCollectionResponse for specific response data
5. getSpecDefinition if linked spec exists

Step 3: Present

Found:

Yes, you can get a user's email via the API.

  Endpoint: GET /users/{id}
  Collection: "User Management API"
  Auth: Bearer token required

  Response includes:
    { "id": "usr_123", "email": "jane@example.com", "name": "Jane Smith" }

  Want me to generate a client for this API?

Not found: Show closest matches and explain why they don't match.

Multiple results: List collections with endpoint counts, ask which to explore.

---

Workflow: Run Collection Tests

Execute Postman collection tests, analyze results, diagnose failures, and suggest fixes.

Step 1: Find the Collection

1. If workspace ID is known, call getWorkspace(workspaceId) directly. Otherwise ask the user.
2. Call getCollections with workspace parameter. Use name filter if specified.

Step 2: Run Tests

Call runCollection with the collection UID in OWNER_ID-UUID format (from getCollection response's uid field).

If environment variables are needed:

1. Call getEnvironments to list available environments
2. Ask which to use or detect from naming convention
3. Pass the environment ID to runCollection

Step 3: Parse Results

Note: runCollection returns aggregate results only (total requests, passed/failed counts, duration). It does NOT include per-request detail. Present what's available:

Test Results: Pet Store API
  Requests:  15 executed
  Failed:    3
  Assertions: 24 total, 21 passed
  Duration:  12.4s

If tests failed and per-request detail is needed, examine the collection's test scripts and request definitions with getCollectionRequest to help diagnose. The user may also need to check the Postman app or a monitor run for detailed failure logs.

Step 4: Diagnose Failures

For each failure:

1. getCollectionRequest for full request definition
2. getCollectionResponse for expected responses
3. Check if API source code is in the current project
4. Explain expected vs actual
5. If code is local, find the handler and suggest the fix

Step 5: Fix and Re-run

After fixing: offer to re-run and show before/after comparison.

Step 6: Update Collection (if needed)

If the tests themselves need updating:

• updateCollectionRequest to fix request bodies, headers, or test scripts
• updateCollectionResponse to update expected responses

---

Workflow: Create Mock Servers

Spin up a Postman mock server from a collection or spec. Get a working mock URL for frontend development, integration testing, or demos.

Step 1: Find the Source

If workspace ID is known, call getWorkspace(workspaceId) directly. Otherwise ask the user.

From existing collection: getCollections with workspace ID -> select target collection

From local spec: Import first:

1. createSpec with workspace, name, type, files
2. generateCollection. Async (HTTP 202). Poll getGeneratedCollectionSpecs or getSpecCollections for completion.

Step 2: Check for Examples

Mock servers serve example responses. Call getCollection and check if requests have saved responses.

If missing, generate realistic examples:

1. getCollectionRequest for each request's schema
2. Generate realistic example response from the schema
3. createCollectionResponse to save the example

Step 3: Check for Existing Mocks

Call getMocks to check if one already exists for this collection. If found, present its URL. Only create new if none exists or explicitly requested.

Step 4: Create Mock Server

Call createMock with:

• Workspace ID
• Collection UID in ownerId-collectionId format (from getCollection response's uid field)
• Environment ID (if applicable)
• Name: <api-name> Mock
• Private: false (or true if preferred)

Step 5: Present

Mock server created: "Pet Store API Mock"
  URL: https://<mock-id>.mock.pstmn.io
  Status: Active

  Try it:
    curl https://<mock-id>.mock.pstmn.io/pets
    curl https://<mock-id>.mock.pstmn.io/pets/1
    curl -X POST https://<mock-id>.mock.pstmn.io/pets -d '{"name":"Buddy"}'

  The mock serves example responses from your collection.
  Update examples in Postman to change mock behavior.

Step 6: Integration

Quick integration:
  # Add to your project .env
  API_BASE_URL=https://<mock-id>.mock.pstmn.io

  # Or in your frontend config
  const API_URL = process.env.API_BASE_URL || 'https://<mock-id>.mock.pstmn.io';

Step 7: Publish (optional)

If the user wants public access:

• publishMock for unauthenticated access (demos, hackathons, public docs)
• unpublishMock to make private again

---

Workflow: API Documentation

Analyze, improve, and publish API documentation from OpenAPI specs and Postman collections.

Step 1: Find the Source

Check for API definitions in order:

Local specs: Search for **/openapi.{json,yaml,yml}, **/swagger.{json,yaml,yml}

Postman specs: getAllSpecs with workspace ID, then getSpecDefinition for full spec

Postman collections: getCollections then getCollection for full detail

Step 2: Analyze Completeness

Documentation Coverage: 60%
  Endpoints with descriptions:     8/15
  Parameters with descriptions:    22/45
  Endpoints with examples:         3/15
  Error responses documented:      2/15
  Authentication documented:       Yes
  Rate limits documented:          No

Step 3: Generate or Improve

Sparse spec: Generate documentation for each endpoint (summaries, parameter tables, request/response schemas, examples, error docs, auth requirements).

Partial spec: Fill gaps (add missing descriptions inferred from naming/schemas, generate realistic examples, add error responses, document auth and rate limits).

Step 4: Apply Changes

Ask the user which output:

1. Update the spec file - Write improved docs back into OpenAPI spec
2. Update in Postman - updateCollectionRequest to add descriptions and examples
3. Publish public docs - publishDocumentation with collection ID, returns public URL. unpublishDocumentation to take down.
4. Generate markdown - Create docs/api-reference.md for the project

Step 5: Sync

If both spec and collection exist, keep in sync:

• syncCollectionWithSpec to update collection from spec (async, OpenAPI 3.0 only)
• syncSpecWithCollection to update spec from collection changes

---

Workflow: API Security Audit

Audit APIs for security issues against OWASP API Security Top 10. Works with local OpenAPI specs and Postman collections.

Step 1: Find the Source

Local spec: Search for OpenAPI/Swagger files in the project

Postman spec: getAllSpecs then getSpecDefinition

Postman collection: getCollections then getCollection including auth config. Also getEnvironment to check for exposed secrets.

Step 2: Run Security Checks

Authentication and Authorization:

• Security schemes defined (OAuth2, API Key, Bearer, etc.)
• Security applied globally or per-endpoint
• No accidentally unprotected endpoints
• OAuth2 scopes defined and appropriate
• Admin endpoints have elevated auth

Transport Security:

• All server URLs use HTTPS
• No mixed HTTP/HTTPS

Sensitive Data Exposure:

• No API keys, tokens, or passwords in example values
• No secrets in query parameters (should be headers/body)
• Password fields marked as format: password
• PII fields identified
• Postman environment variables checked for leaked secrets (via getEnvironment)

Input Validation:

• All parameters have defined types
• String parameters have maxLength
• Numeric parameters have minimum/maximum
• Array parameters have maxItems
• Enum values used where applicable
• Request body has required field validation

Rate Limiting:

• Rate limits documented
• Rate limit headers defined (X-RateLimit-Limit, X-RateLimit-Remaining)
• 429 response defined

Error Handling:

• Error responses don't leak stack traces
• Error schemas don't expose internal field names
• 401 and 403 responses properly defined

OWASP API Top 10:

• API1: Broken Object Level Authorization
• API2: Broken Authentication
• API3: Broken Object Property Level Authorization
• API4: Unrestricted Resource Consumption
• API5: Broken Function Level Authorization
• API6: Unrestricted Access to Sensitive Business Flows
• API7: Server Side Request Forgery
• API8: Security Misconfiguration
• API9: Improper Inventory Management
• API10: Unsafe Consumption of APIs

Step 3: Present Results

API Security Audit: pet-store-api.yaml

  CRITICAL (2):
    SEC-001: 3 endpoints have no security scheme applied
      - GET /admin/users
      - DELETE /admin/users/{id}
      - PUT /admin/config
    SEC-002: Server URL uses HTTP (http://api.example.com)

  HIGH (3):
    SEC-003: No rate limiting documentation or 429 response
    SEC-004: API key sent as query parameter (use header instead)
    SEC-005: No maxLength on 8 string inputs (injection risk)

  MEDIUM (2):
    SEC-006: Password field visible in GET /users/{id} response
    SEC-007: Environment variable 'db_password' not marked secret

  Score: 48/100 - Significant Issues

Step 4: Fix

For each finding:

1. Explain the security risk in plain terms
2. Show the exact spec change needed
3. Apply the fix with user approval

For Postman-specific issues:

• putEnvironment to mark secrets properly
• updateCollectionRequest to fix auth configuration
• updateCollectionResponse to remove sensitive data from examples

Step 5: Re-audit

After fixes, re-run to show improvement.

---

Error Handling

These patterns apply across all workflows:

Error	Response
MCP tools not available	"The Postman MCP Server isn't configured. Set your POSTMAN_API_KEY environment variable and restart your editor."
401 Unauthorized	"Your Postman API key was rejected. Generate a new one at https://postman.postman.co/settings/me/api-keys"
Network timeout	Retry once. Check https://status.postman.com for outages.
Async operation stuck	If polling shows no progress after 30 seconds, inform user and suggest checking Postman app directly.
Collection not found	"No collection matching that name. Try discovering APIs across your workspace."
Empty collection	"This collection has no requests. Add endpoints in Postman or sync from a local spec."
Invalid spec	Report specific parse errors with line numbers. Offer to fix common YAML/JSON syntax issues.
Plan limitations	"Some features may require a paid Postman plan. Core operations work on all plans."

MCP Tool Reference

See references/mcp-tools.md for the complete tool catalog and references/mcp-limitations.md for known limitations and workarounds.