Create and capture cookies using Postman's cookie manager

Postman's cookie manager enables you to view and edit cookies that are associated with different domains. You can manually create cookies for a domain, or you can capture cookies using the Postman proxy or Postman Interceptor. You can then use the cookies stored in the cookie jar when sending requests in Postman.

To turn off sending cookies with a request, select the request's Settings tab, then select Disable cookie jar.

What are cookies?

A computer cookie is more formally known as an HTTP cookie, a web cookie, an Internet cookie, or a browser cookie. The name is a shorter version of "magic cookie," which is a term for a packet of data that a computer receives and then sends back without changing or altering it.

A cookie typically has two pieces of data: a unique ID for each user and a site name. Cookies enable websites to retrieve this information when you revisit them, so that they can remember you and your preferences and tailor page content for you based on this information. Without cookies, you’d have to sign in again after you leave a site or rebuild your shopping cart if you closed a web page. This makes cookies an important part of the internet experience.

To manage cookies in Postman, open a request, then select Cookies (under Send).

Cookies link

The Manage Cookies window displays a list of domains and the cookies associated with each one. If you want to view cookies for a domain that isn't present in the list, you can add a domain. To remove all cookies and domains from the cookie jar, select Clear All Cookies.

Managing cookies

Creating cookies

To add a new cookie for a domain, select + Add Cookie. A pre-generated cookie string compliant with HTTP State Management standards is created.

Cookie_1=value; Path=/; Expires=Wed, 09 Oct 2024 21:49:26 GMT;

Postman supports the following attributes:

  • cookieName, cookieValue - The name of the cookie and the value stored in it.
  • Domain - The domain Postman will send the cookie to.
  • Path - The URL path that the cookie is restricted to. If the path is /, the cookie will be sent to all requests in the specified domain.
  • HttpOnly - If present, the cookie won't be accessible to the client-side scripts run on the page (for example, with document.cookie in JavaScript). The cookie will only be added to the cookie header in requests that are made. This field doesn't have an effect on Postman's behavior.
  • Secure - If present, the cookie is only sent when the URL begins with https:// and won't be sent over an insecure connection.
  • Expires - The time after which the cookie will expire and not be sent by Postman.

Select Save to save the cookie to the cookie store under the relevant domain.

You can also add or edit the cookies in a response with the Set-Cookie header.

Sending cookies with a request

When you make a request to a domain you have added a cookie to, the cookie will automatically appear in your request Headers tab. If the cookie isn't visible, select hidden to show autogenerated headers.

Cookie header

You can't override cookie headers directly in the Headers tab. Edit the cookie in the cookie manager, or delete the cookie and set your request headers manually. You can add cookies in the cookie manager as well as on the Headers tab, and Postman will merge the cookies before sending the request.

Adding a domain

If you want to view or add cookies for a domain that isn’t present in the cookie manager, you can add a domain. To add a new domain, enter the domain name in the box (don't include a port number or http://) and select Add domain. You can then add cookies for the new domain.

To update an existing cookie for a domain, select the cookie you want to edit. You can edit any property, and select Save to update.

To delete a domain and all cookies associated with it, select Close icon next to the domain. To delete an individual cookie, select Close icon next to the cookie.

Accessing cookies in scripts

When you add a domain to the allowlist, cookies for that domain can be accessed in scripts.

To add a domain to the allowlist, do the following:

  1. Open a request, then select Cookies (under Send).
  2. In the Manage Cookies window, select Domains Allowlist.
  3. Enter the domain to be allowed and select Add.

Creating cookies programmatically

You can programmatically create and delete cookies, instead of relying on the graphical interface. This gives you a greater degree of control over cookies.

The first step to perform in any kind of operation on cookies is to create a cookie jar, an object that will contain the cookies and the methods that will be used to operate on cookies.

To create a cookie jar, use the pm.cookies.jar() method. This creates an object to contain the cookies and methods for accessing them.

const cookieJar = pm.cookies.jar();

After a cookie jar is created, you can place cookies into it. Set a cookie using the .set() function. This function takes a URL, a cookie name, and a cookie value:

// create a cookie
cookieJar.set(URL, cookie name, cookie value, callback(error, cookie));

You can also set a PostmanCookie or its compatible cookie object using the .set() function:

// create a PostmanCookie
cookieJar.set(URL, { name: cookie name, value: cookie value, httpOnly: true }, callback (error, cookie));

To retrieve a cookie, use the .get() function. This function takes a URL and the name of the required cookie. It returns the value of cookie.

// get the created cookie
cookieJar.get(URL, cookie name, callback(error, cookie));

Get all the cookies

To get all the cookies for a particular URL that are in the cookie jar, use the .getAll() function. This function takes a URL and returns all the cookies for that URL:

// get the created cookies
cookieJar.getAll(URL, callback(error, cookies));

To delete a cookie, use the .unset() function. This function takes a URL and the name of the cookie to be removed:

// Delete the created cookie
cookieJar.unset(URL , cookie name, callback (error));

Delete all the cookies

To clear all cookies for a URL, use the .clear() function. This function takes the URL you want to remove cookies for. The .clear() function removes all cookies for a particular URL but doesn't remove all the cookies in the jar, as there may be cookies for more than one URL in the cookie jar.

// delete the set cookies
cookieJar.clear(URL, callback (error));

Deleting and then setting cookies in sequence

To clear all cookies for a URL .clear() and then place a cookie into a cookie jar .set(), use a callback function.

Function calls execute asynchronously. Use a callback function to ensure functions execute in sequence:

cookieJar.clear(URL, (error) => {
    jar.set(URL, cookie name, cookie value, callback(error, cookie));
});

Properties not supported

The following properties aren't supported by Postman:

  • SameSite
  • Cookie Prefixes:
    • __Secure-
    • __Host-

Syncing cookies

Postman can capture cookies for a browser or client application using the Postman proxy or Postman Interceptor. For the domains you select, captured cookies are continuously synced with the Postman cookie jar. This enables you to use any authentication sessions in your browser or client application to make API calls in Postman.

Learn more about capturing cookies with the Postman proxy or Postman Interceptor

Last modified: 2022/03/02

Additional resources

Videos

Syncing Cookies for Authentication | Postman Level Up
Postmanaut dancing. Illustration.