Postman Collections

Specifying a postman api key and collection id enables Mayhem to read postman collections. You can optionally also specify a postman environment id or file.

mapi run my-api 30 <postman collection id> \
  --url <url> \
  --postman-api-key <postman api key> \
  --postman-environment <postman environment id or file>

Requests that use many of the Postman dynamic variables as path variables, headers, query parameters, or within a request body are handled by Mayhem and mapped to appropriate types during fuzzing.

Exported Postman File

mapi run will also automatically detect if it's given a Postman 2.x collection in place of an OpenAPI spec, and work with that.

Alternatively, you can do a one-time conversion from Postman into an OpenAPI 3 spec by running the collection through the mapi convert postman command (see mapi help convert postman for details.)

Postman Variables and Scripts

Mayhem supports Postman collection and environment variables.

Postman has a scripting engine that is not supported by Mahyem. Typically, these scripts are used to seed requests with values that are returned from another API's response. Mayhem uses API responses automatically during fuzzing.

It may be useful to fork a Postman collection that makes use of scripts, replace scripts with variables where possible, and target the forked collection with Mayhem.

Mayhem for API

Postman Collections

Exported Postman File

Postman Variables and Scripts