Postman Passport: Secure API access for the Agentic Era
Postman is introducing "Postman Passport" to secure API access for humans, machines, and AI agents, addressing the exploding risk of API key leakage in uncontrolled environments. It inverts the secret sharing model into an access control model and shifts secret resolution to a proxy layer within a VPC, preventing secrets from ever reaching consumers directly.
The proliferation of AI agents is set to dramatically increase API consumption, with agents calling APIs at a rate 1,000 times greater than humans today. This surge, coupled with the integration of agents into the software development lifecycle, highlights critical vulnerabilities in existing API access and security practices.
Currently, API access often relies on API keys embedded in various files and environments, leading to widespread "secret sprawl." These keys are easily copied, shared, and replicated across machines, creating numerous points of leakage. The problem is exacerbated by overly permissive API designs and the primary focus of key vaults on production systems, leaving development environments exposed.
Postman Passport directly addresses these issues by fundamentally changing how secrets are handled. Instead of distributing secrets, it implements an access control model where consumers are granted granular access to APIs without ever receiving the actual secrets. Furthermore, secret resolution is moved from the application layer to a secure proxy layer within a Virtual Private Cloud (VPC).
This new model ensures that callers' identities are cryptographically proven, credentials are strictly scoped, and private keys never leave the holder's machine, rendering stolen credential references useless. The system also extends to AI agents, providing them with scoped, short-lived, and auditable access, making them first-class, secure users of APIs.
Related articles
Anthropic’s Claude Tag is learning your company, one Slack message at a time
Anthropic introduces Claude Tag, an AI teammate living in Slack, designed to learn and contribute to company communications. This tool enhances collaboration by providing persistent context and memory, making AI interaction feel more like working with a human colleague.
Build real agentic apps using CUGA: two dozen working examples on a lightweight harness
CUGA, IBM's open-source Agent Harness, simplifies building agentic applications by handling infrastructure, allowing developers to focus on tools and prompts. It offers pre-assembled components for planning, execution, and state management, significantly reducing development time. CUGA has topped agent benchmarks like AppWorld and WebArena.
What AI Readiness Really Means and How It Applies to APIs
AI readiness is crucial for organizations to effectively integrate and scale artificial intelligence, moving beyond isolated proofs of concept to secure, system-wide AI integration. This requires a holistic diagnostic approach, addressing both technical foundations like data quality and organizational aspects such as strategy alignment and workforce development. Critical to this readiness are APIs, which must evolve from human-readable interfaces to machine-consumable ones, enabling AI agents to interact safely and robustly with existing systems.