How to use GraphQL with Postman

<!DOCTYPE html> <html lang="en"> <head> <title>How to use GraphQL with Postman</title> <meta charset="utf-8" /> <meta http-equiv="X-UA-Compatible" content="IE=edge" /> <meta name="HandheldFriendly" content="True" /> <meta name="viewport" content="width=device-width, initial-scale=1.0" /> <style> :root { --button-bg-color: #ffffff; --button-text-color: var(--color-darkgrey); } </style> <link rel="preconnect" href="https://fonts.googleapis.com"> <link rel="preconnect" href="https://fonts.gstatic.com" crossorigin> <link rel="stylesheet" href="https://fonts.googleapis.com/css2?family=Open+Sans:ital,wght@0,400;0,500;0,600;0,700;1,400;1,700&family=Inter:wght@400;500;600;700&display=swap"> <link rel="stylesheet" type="text/css" href="/blog/assets/built/screen.css?v=bdd0505571" /> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.28.0/themes/prism-tomorrow.min.css" integrity="sha512-vswe+cgvic/XBoF1OcM/TeJ2FW0OofqAVdCZiEYkd6dwGXthvkSFWOoGGJgS2CW70VK5dQM5Oh+7ne47s74VTg==" crossorigin="anonymous" referrerpolicy="no-referrer" /> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/tocbot/4.12.3/tocbot.css"> <meta name="description" content="Learn how to test GraphQL with Postman, the go-to tool for querying APIs, and quickly start sending requests and testing your GraphQL endpoints."> <link rel="icon" href="https://escape.tech/blog/content/images/size/w256h256/2021/09/ESCAPE-LOGO-28-07-2021-08_1000.png" type="image/png"> <link rel="canonical" href="https://escape.tech/blog/getting-started-with-postman-graphql/"> <meta name="referrer" content="no-referrer-when-downgrade"> <link rel="amphtml" href="https://escape.tech/blog/getting-started-with-postman-graphql/amp/"> <meta property="og:site_name" content="Escape - The API Security Blog"> <meta property="og:type" content="article"> <meta property="og:title" content="How to use GraphQL with Postman"> <meta property="og:description" content="Learn how to test GraphQL with Postman, the go-to tool for querying APIs, and quickly start sending requests and testing your GraphQL endpoints."> <meta property="og:url" content="https://escape.tech/blog/getting-started-with-postman-graphql/"> <meta property="og:image" content="https://escape.tech/blog/content/images/2023/08/postman-graphql-getting-started.png"> <meta property="article:published_time" content="2022-07-26T15:33:12.000Z"> <meta property="article:modified_time" content="2024-06-07T08:42:04.000Z"> <meta property="article:tag" content="Postman"> <meta property="article:tag" content="GraphQL"> <meta name="twitter:card" content="summary_large_image"> <meta name="twitter:title" content="Getting started with Postman for GraphQL"> <meta name="twitter:description" content="Learn the basics of Postman for GraphQL APIs and quickly start to send requests and test your endpoints."> <meta name="twitter:url" content="https://escape.tech/blog/getting-started-with-postman-graphql/"> <meta name="twitter:image" content="https://escape.tech/blog/content/images/2023/08/postman-graphql-getting-started.png"> <meta name="twitter:label1" content="Written by"> <meta name="twitter:data1" content="Nohé Hinniger-Foray"> <meta name="twitter:label2" content="Filed under"> <meta name="twitter:data2" content="Postman, GraphQL"> <meta name="twitter:site" content="@EscapeTechHQ"> <meta name="twitter:creator" content="@nohehf"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="670"> <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "Article", "publisher": { "@type": "Organization", "name": "Escape - The API Security Blog", "url": "https://escape.tech/blog/", "logo": { "@type": "ImageObject", "url": "https://escape.tech/blog/content/images/2022/05/escape-logo.0e6d59f.svg", "width": 141, "height": 36 } }, "author": { "@type": "Person", "name": "Nohé Hinniger-Foray", "image": { "@type": "ImageObject", "url": "https://escape.tech/blog/content/images/2024/10/pp_square_bg--1--2.png", "width": 900, "height": 900 }, "url": "https://escape.tech/blog/author/nohe/", "sameAs": [ "https://www.nohehf.com/", "https://twitter.com/nohehf" ] }, "headline": "How to use GraphQL with Postman", "url": "https://escape.tech/blog/getting-started-with-postman-graphql/", "datePublished": "2022-07-26T15:33:12.000Z", "dateModified": "2024-06-07T08:42:04.000Z", "image": { "@type": "ImageObject", "url": "https://escape.tech/blog/content/images/2023/08/postman-graphql-getting-started.png", "width": 1200, "height": 670 }, "keywords": "Postman, GraphQL", "description": "If you're building an API, you need tools to query it. Postman is the go-to tool for querying APIs, whether using the Postman GraphQL client or the Postman HTTP request interface. It allows you to create and send requests to your endpoints and so much more.\n\nPostman has loads of built-in parameters and features, such as custom cookies, environment variables, scripting, testing, and exporting requests to HTTP clients (curl, fetch, python, axios...). Postman also allows you to share and collaborat", "mainEntityOfPage": "https://escape.tech/blog/getting-started-with-postman-graphql/" } </script> <meta name="generator" content="Ghost 5.109"> <link rel="alternate" type="application/rss+xml" title="Escape - The API Security Blog" href="https://escape.tech/blog/rss/"> <script defer src="https://cdn.jsdelivr.net/ghost/portal@~2.49/umd/portal.min.js" data-i18n="true" data-ghost="https://escape.tech/blog/" data-key="0e4cafc1e55c09b1ec7809b460" data-api="https://escape.tech/blog/ghost/api/content/" data-locale="en" crossorigin="anonymous"></script><style id="gh-members-styles">.gh-post-upgrade-cta-content, .gh-post-upgrade-cta { display: flex; flex-direction: column; align-items: center; font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif; text-align: center; width: 100%; color: #ffffff; font-size: 16px; } .gh-post-upgrade-cta-content { border-radius: 8px; padding: 40px 4vw; } .gh-post-upgrade-cta h2 { color: #ffffff; font-size: 28px; letter-spacing: -0.2px; margin: 0; padding: 0; } .gh-post-upgrade-cta p { margin: 20px 0 0; padding: 0; } .gh-post-upgrade-cta small { font-size: 16px; letter-spacing: -0.2px; } .gh-post-upgrade-cta a { color: #ffffff; cursor: pointer; font-weight: 500; box-shadow: none; text-decoration: underline; } .gh-post-upgrade-cta a:hover { color: #ffffff; opacity: 0.8; box-shadow: none; text-decoration: underline; } .gh-post-upgrade-cta a.gh-btn { display: block; background: #ffffff; text-decoration: none; margin: 28px 0 0; padding: 8px 18px; border-radius: 4px; font-size: 16px; font-weight: 600; } .gh-post-upgrade-cta a.gh-btn:hover { opacity: 0.92; }</style> <script defer src="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/sodo-search.min.js" data-key="0e4cafc1e55c09b1ec7809b460" data-styles="https://cdn.jsdelivr.net/ghost/sodo-search@~1.5/umd/main.css" data-sodo-search="https://escape.tech/blog/" data-locale="en" crossorigin="anonymous"></script> <script defer src="https://cdn.jsdelivr.net/ghost/announcement-bar@~1.1/umd/announcement-bar.min.js" data-announcement-bar="https://escape.tech/blog/" data-api-url="https://escape.tech/blog/members/api/announcement/" crossorigin="anonymous"></script> <link href="https://escape.tech/blog/webmentions/receive/" rel="webmention"> <script defer src="/blog/public/cards.min.js?v=bdd0505571"></script> <link rel="stylesheet" type="text/css" href="/blog/public/cards.min.css?v=bdd0505571"> <script defer src="/blog/public/member-attribution.min.js?v=bdd0505571"></script><style>:root {--ghost-accent-color: #09134b;}</style> <script id="userled-sdk-snippet"> window.userledSettings={app_id:"21ef73bb-cd0a-4f2b-a193-fa051a5974a1"},window.userledSnippetTs=(new Date).getTime(),(function(){if(!window.Userled){window.Userled=function(){return e.call(arguments)};var e=window.Userled;e.call=function(n){return new Promise((function(i,d){e.queue.push([].concat.apply([i,d],n))}))},e.queue=[],e.snippetVersion="4.0.0",window.Userled("page")}})(); </script> <script id="userled-sdk" type="module" src="https://sdk.userledclient.io?appId=21ef73bb-cd0a-4f2b-a193-fa051a5974a1&snippetVersion=4.0.0" data-cfasync="false"></script>  <script async src="https://www.googletagmanager.com/gtag/js?id=UA-234004425-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); gtag('config', 'UA-234004425-1'); </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-0KYN4GPPPE"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'G-0KYN4GPPPE'); </script> <script> var gh_white_logo = 'https://escape.tech/assets/escape-logo.png'; </script>  <script async src="https://www.googletagmanager.com/gtag/js?id=G-5FTS8Y5Z4N"></script> <script> window.dataLayer = window.dataLayer || []; function gtag() { dataLayer.push(arguments); } gtag('js', new Date()); gtag('config', 'G-5FTS8Y5Z4N'); </script> <script> (function (w, d, s, l, i) { w[l] = w[l] || []; w[l].push({ 'gtm.start': new Date().getTime(), event: 'gtm.js' }); var f = d.getElementsByTagName(s)[0], j = d.createElement(s), dl = l != 'dataLayer' ? '&l=' + l : ''; j.async = true; j.src = 'https://www.googletagmanager.com/gtm.js?id=' + i + dl; f.parentNode.insertBefore(j, f); })(window, document, 'script', 'dataLayer', 'GTM-MDMBJH6V'); </script>   <script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start': new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0], j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src= 'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f); })(window,document,'script','data layer,'GTM-MLMM8LHP');</script>  <script> var gh_white_logo = 'https://escape.tech/assets/escape-logo.png'; </script>  <script src="https://cdn.usefathom.com/script.js" data-site="WIHBBNEH" defer></script>   <script type="application/ld+json"> { "@context": "https://schema.org", "@type": "BreadcrumbList", "itemListElement": [{ "@type": "ListItem", "position": 1, "name": "Home", "item": "https://escape.tech/" },{ "@type": "ListItem", "position": 2, "name": "Blog", "item": "https://escape.tech/blog" }] } </script>  <style> .container.large { max-width: calc(750px + 8vw); } </style> <script> var gh_white_logo = "https://i.ibb.co/cx8zN47/ESCAPE-LOGO-28-07-2021-02.png" </script>  <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/themes/prism.min.css" integrity="sha512-tN7Ec6zAFaVSG3TpNAKtk4DOHNpSwKHxxrsiw4GHKESGPs5njn/0sMCUMl2svV4wo4BK/rCP7juYz+zx+l6oeQ==" crossorigin="anonymous" referrerpolicy="no-referrer" /> <style> .gh-head { position: -webkit-sticky; /* Older Safari browsers */ position: sticky; /* Most other modern browsers including Safari */ top: 0; z-index: 4000; } /* Shine Case study style */ #strongshine-chose-escape-to-enhance-its-application-security-achieve-a-thorough-inventory-of-their-apis-and-help-developers-fix-issues-quicklystrong, #within-a-week-shine-covered-four-applications-accounting-for-300-endpoints-this-rapid-coverage-led-to-the-discovery-and-fixing-of-at-least-strong2-critical-vulnerabilities-in-less-than-24-hours-post-discoverystrong { width: 65%; font-size: 30px; color: #01e2b7; } @media (max-width: 640px) { #strongshine-chose-escape-to-enhance-its-application-security-achieve-a-thorough-inventory-of-their-apis-and-help-developers-fix-issues-quicklystrong, #within-a-week-shine-covered-four-applications-accounting-for-300-endpoints-this-rapid-coverage-led-to-the-discovery-and-fixing-of-at-least-strong2-critical-vulnerabilities-in-less-than-24-hours-post-discoverystrong { width: 90%; font-size: 1.2em; } } #strongstart-securing-your-apis-for-freestrong { margin-bottom: 0.5em; } .kg-header-card a.kg-header-card-button { display: inline-block !important; padding: 20px 16.5px !important; font-size: 1.4rem !important; font-size: 20px !important; line-height: 0.325em !important; color: #1a1b3d !important; background-color: #05e2b7 !important; border-radius: 6px !important; } </style> </head> <body class="post-template tag-postman tag-graphql has-sans-body"> <div class="viewport"> <header id="gh-head" class="gh-head"> <nav class="gh-head-inner inner gh-container"> <div class="gh-head-brand"> <a class="gh-head-logo" href="https://escape.tech/blog"> <img width="140" src="https://escape.tech/blog/content/images/2022/05/escape-logo.0e6d59f.svg" alt="Escape - The API Security Blog" /> </a> <div class="mobile-cta-container"> <a style="border-radius: 100px; background-color: #05e2b7; color: #1a1b3d; margin-right: 0; font-weight: 700; font-size: 1.4rem; padding: 12px 18px 13px;" href="https://calendly.com/d/46g-xzy-dgw?utm_source=navbar&utm_medium=blog">Get a demo</a> </div> <a class="gh-burger" role="button"> <div class="gh-burger-box"> <div class="gh-burger-inner"></div> </div> </a> </div> <div class="gh-head-menu"> <ul class="nav"> <li class="nav-escape-platform"><a href="https://escape.tech">Escape Platform</a></li> <li class="nav-case-studies"><a href="https://escape.tech/blog/tag/case-study/">Case studies</a></li> <li class="nav-best-practices"><a href="https://escape.tech/blog/tag/best-practices/">Best Practices</a></li> <li class="nav-events"><a href="https://escape.tech/blog/tag/events/">Events</a></li> <li class="nav-community"><a href="https://join.slack.com/t/escapecommunity/shared_invite/zt-2cpklvqqv-m_h4fzlZhSatxcrxetf3Fg">Community</a></li> </ul> <div class="gh-head-actions"> <a class="try-for-free-button" href="https://calendly.com/d/46g-xzy-dgw?utm_source=navbar&utm_medium=blog">Get a demo</a> <button class="gh-search-icon" aria-label="search" data-ghost-search style="display: inline-flex; justify-content: center; align-items: center; width: 32px; height: 32px; border: 0; color: inherit; background-color: transparent; cursor: pointer; outline: none; margin-left: 4px;"> <svg width="20" height="20" fill="none" viewBox="0 0 24 24"><path d="M14.949 14.949a1 1 0 0 1 1.414 0l6.344 6.344a1 1 0 0 1-1.414 1.414l-6.344-6.344a1 1 0 0 1 0-1.414Z" fill="currentColor"/><path d="M10 3a7 7 0 1 0 0 14 7 7 0 0 0 0-14Zm-9 7a9 9 0 1 1 18 0 9 9 0 0 1-18 0Z" fill="currentColor"/></svg> </button> </div> </div> </nav> </header> <div class="site-content"> <main id="site-main" class="site-main"> <article class="article post tag-postman tag-graphql image-small"> <header class="article-header gh-canvas"> <section class="article-tag"> <a href="https://escape.tech/blog/tag/postman/">Postman</a> </section> <h1 class="article-title">How to use GraphQL with Postman - a guide to testing GraphQL endpoints</h1> <div class="article-byline"> <section class="article-byline-content"> <ul class="author-list"> <li class="author-list-item"> <a href="/blog/author/nohe/" class="author-avatar"> <img class="author-profile-image" src="/blog/content/images/size/w100/2024/10/pp_square_bg--1--2.png" alt="Nohé Hinniger-Foray" /> </a> </li> </ul> <div class="article-byline-meta"> <h4 class="author-name"><a href="/blog/author/nohe/">Nohé Hinniger-Foray</a></h4> <div class="byline-meta-content"> <time class="byline-meta-date" datetime="2022-07-26">Jul 26, 2022</time> <span class="byline-reading-time"><span class="bull">•</span> 5 min read</span> </div> </div> </section> </div> <figure class="article-image"> <picture>  <source srcset="/blog/content/images/size/w300/format/webp/2023/08/postman-graphql-getting-started.png 300w, /blog/content/images/size/w600/format/webp/2023/08/postman-graphql-getting-started.png 600w, /blog/content/images/size/w1000/format/webp/2023/08/postman-graphql-getting-started.png 1000w, /blog/content/images/size/w2000/format/webp/2023/08/postman-graphql-getting-started.png 2000w" sizes="(min-width: 1400px) 1400px, 92vw" type="image/webp" >  <img srcset="/blog/content/images/size/w300/2023/08/postman-graphql-getting-started.png 300w, /blog/content/images/size/w600/2023/08/postman-graphql-getting-started.png 600w, /blog/content/images/size/w1000/2023/08/postman-graphql-getting-started.png 1000w, /blog/content/images/size/w2000/2023/08/postman-graphql-getting-started.png 2000w" sizes="(min-width: 1400px) 1400px, 92vw" src="/blog/content/images/size/w2000/2023/08/postman-graphql-getting-started.png" alt="How to use GraphQL with Postman - a guide to testing GraphQL endpoints" /> </picture> </figure> </header> <section class="gh-content gh-canvas"> <p>If you're building an API, you need tools to query it. Postman is the go-to tool for querying APIs, whether using the Postman GraphQL client or the Postman HTTP request interface. It allows you to create and send requests to your endpoints and so much more.</p><p>Postman has loads of built-in parameters and features, such as custom cookies, environment variables, scripting, testing, and exporting requests to HTTP clients (curl, fetch, python, axios...). Postman also allows you to share and collaborate on your requests collections, making it a go-to tool for many tech enterprises. It also ships with a powerful mocking engine, allowing developers to design their APIs directly in Postman before implementing them.</p><p>In this guide, you'll learn the basics of Postman for GraphQL APIs, so you can quickly start using it to create and debug yours.</p><p>To get started, get Postman <a href="https://www.postman.com/downloads/?ref=escape.tech">here</a>. </p><p><em>Note: if you already use Postman for REST and only want to see the GraphQL part, head to </em><a href="#🕸using-postman-with-graphql-apis"><em>#</em>🕸using-postman-with-graphql-apis</a></p><h2 id="%F0%9F%A7%A0-postman-general-concepts">🧠 Postman general concepts </h2><h3 id="requests">Requests</h3><p>As Postman is an API client, HTTP requests are its fundamental building block. Create a request with "new" -> "HTTP request"</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2022/07/ezgif-5-251e0a0676-1.gif" class="kg-image" alt="" loading="lazy" width="600" height="390" srcset="https://escape.tech/blog/content/images/2022/07/ezgif-5-251e0a0676-1.gif 600w"><figcaption><span style="white-space: pre-wrap;">How to start a new HTTP request</span></figcaption></figure><p>The top bar allows you to set the request mode (GET, POST, PUT, ...) and its URL:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2022/07/image-2.png" class="kg-image" alt="" loading="lazy" width="1404" height="124" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/image-2.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/image-2.png 1000w, https://escape.tech/blog/content/images/2022/07/image-2.png 1404w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">For GraphQL, you'll only use POST</span></figcaption></figure><p>Below you'll find several tabs:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/image-5.png" class="kg-image" alt="" loading="lazy" width="1170" height="88" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/image-5.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/image-5.png 1000w, https://escape.tech/blog/content/images/2022/07/image-5.png 1170w" sizes="(min-width: 720px) 720px"></figure><ul><li>Params are REST query params of URLs:`?key=value`. Those are useless for GraphQL.</li><li>Authorization allows you to define multiple types of Auth such as Bearer Token, API key, etc.</li><li>Headers are self-explanatory</li><li>The body is the part that interests us for Postman GraphQL use, and I'll detail it in the next paragraph.</li><li>Pre-request Script and Tests are more advanced functionalities that I'll cover in an advanced guide.</li></ul><p>And last but not least, remember to save your requests! (ctrl + s or the "save" button).</p><h3 id="postman-collections">Postman collections</h3><p>If you try to save your request, a prompt will ask you to choose a collection. Postman collections are just groups of recommendations. Try to edit and save your request in a collection!</p><h3 id="workspace">Workspace</h3><p>The workspace is like a group of collections & requests but with superpowers. For instance, you can share workspaces (publicly or privately with your team), have scoped environments, variables, etc. You can see your current workspace name and its "parts" on the left tab:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2022/07/image-4.png" class="kg-image" alt="" loading="lazy" width="766" height="896" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/image-4.png 600w, https://escape.tech/blog/content/images/2022/07/image-4.png 766w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">For this first guide, I'll only cover Collections and Environments.</span></figcaption></figure><h2 id="%F0%9F%95%B8using-postman-with-graphql-apis">🕸Using Postman with GraphQL APIs</h2><p>Back to business. Fortunately, Postman has built-in full support for GraphQL! 🎉 <br><br>Let's take a quick tour of the capabilities by exploring <a href="https://rickandmortyapi.com/?ref=escape.tech">the Rick and Morty API</a>. To get started, create a new HTTP request in Postman. Set the request mode to POST and the URL to <code>https://rickandmortyapi.com/graphql</code>. Now, in the body section, select GraphQL. You should end up with something like this:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707084805.png" class="kg-image" alt="" loading="lazy" width="2000" height="1076" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707084805.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707084805.png 1000w, https://escape.tech/blog/content/images/size/w1600/2022/07/Pasted-image-20220707084805.png 1600w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707084805.png 2000w" sizes="(min-width: 720px) 720px"></figure><p>The cool thing about Postman for GraphQL is that it auto-fetches your endpoint's schema, as you can see with the green "Schema Fetched." indication. That allows auto-completion of your queries with typing and so on. Start typing a query with:</p><pre><code>query { } </code></pre><p>Now, if you hit [⌃ + space] or [ctrl + space], you should see auto-suggestions of what you can query in the API:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707090846.png" class="kg-image" alt="" loading="lazy" width="1332" height="634" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707090846.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707090846.png 1000w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707090846.png 1332w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">List of auto-suggestions for API query </span></figcaption></figure><p><br>Let's say we want to get the characters of the show; type <code>character</code> inside of the query, and Postman will quickly tell you what your request is missing, thanks to the schema:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091054.png" class="kg-image" alt="" loading="lazy" width="1288" height="424" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707091054.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707091054.png 1000w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091054.png 1288w" sizes="(min-width: 720px) 720px"></figure><p>So here we can see what's the problem:</p><ul><li>Subfields: character is an object type, so we need to specify which fields of the character we want to get.</li><li>Argument: the character has to be selected with its id.</li></ul><p>Let's correct the request:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707092212.png" class="kg-image" alt="" loading="lazy" width="1306" height="380" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707092212.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707092212.png 1000w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707092212.png 1306w" sizes="(min-width: 720px) 720px"></figure><p>But you can see that you still need to select subfields, the same as before. To see what's valid, just hit [⌃ + space] or [ctrl + space] to get suggestions of available fields:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091623.png" class="kg-image" alt="" loading="lazy" width="1306" height="672" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707091623.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707091623.png 1000w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091623.png 1306w" sizes="(min-width: 720px) 720px"></figure><p>We can complete it and send it. You can see that we got the desired results:</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091836.png" class="kg-image" alt="" loading="lazy" width="2000" height="1500" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707091836.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707091836.png 1000w, https://escape.tech/blog/content/images/size/w1600/2022/07/Pasted-image-20220707091836.png 1600w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707091836.png 2160w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Query results window </span></figcaption></figure><p><br><em>We also have object fields that need their subfields; see `origin` here.</em></p><p>As a last detail, let's use variables:</p><figure class="kg-card kg-image-card"><img src="https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707092037.png" class="kg-image" alt="" loading="lazy" width="2000" height="619" srcset="https://escape.tech/blog/content/images/size/w600/2022/07/Pasted-image-20220707092037.png 600w, https://escape.tech/blog/content/images/size/w1000/2022/07/Pasted-image-20220707092037.png 1000w, https://escape.tech/blog/content/images/size/w1600/2022/07/Pasted-image-20220707092037.png 1600w, https://escape.tech/blog/content/images/2022/07/Pasted-image-20220707092037.png 2000w" sizes="(min-width: 720px) 720px"></figure><p><br>This request will get you the same result. Still, its format is way cleaner, and the variable fields can be bound to Postman variables and scripted this way, allowing you to write super powerful tests and routines, which I'll cover in the following guide! </p><h3 id="%F0%9F%9A%80-escape-will-gain-you-hours">🚀 Escape will gain you hours</h3><p>What if I told you that all the heavy work of crafting requests for your GraphQL API could be fully automated? </p><p><a href="https://escape.tech/?ref=escape.tech">Escape</a> automatically tests the security, and performance, and reliability of your GraphQL API in a few seconds. But the cool thing is that it is based on a powerful <a href="https://escape.tech/blog/feedback-driven-api-exploration/">feedback-driven API exploration algorithm</a> that is able to generate legitimate requests on your API before fuzzing them for security purposes.</p><p>And the cool stuff is that in addition to being able to find and fix your API bugs, you can easily reproduce them through the <a href="https://escape.tech/blog/graphql-security-testing-in-postman-with-escapes-integration/">autogenerated Postman Collection</a> while exploring all your API.</p><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://escape.tech/blog/content/images/2023/04/export.png" class="kg-image" alt="" loading="lazy" width="2000" height="1120" srcset="https://escape.tech/blog/content/images/size/w600/2023/04/export.png 600w, https://escape.tech/blog/content/images/size/w1000/2023/04/export.png 1000w, https://escape.tech/blog/content/images/size/w1600/2023/04/export.png 1600w, https://escape.tech/blog/content/images/2023/04/export.png 2000w" sizes="(min-width: 720px) 720px"><figcaption><span style="white-space: pre-wrap;">Postman Collection export in Escape GraphQL Security Platform</span></figcaption></figure><p>👉 <a href="https://escape.tech/graphql-security?ref=escape.tech" rel="noreferrer">Try it yourself for free in 1 minute!</a> It does not require any configuration ;) </p><h2 id="%F0%9F%8E%89-conclusion">🎉 Conclusion </h2><p>By now, you should be able to query your GraphQL API using Postman, and this will help you a lot in your development process, trust me! But as I said, Postman can do much more than what I've covered here: scripting, testing, environment setup, and exports... I'll cover those advanced and super powerful concepts in the following article, so stay tuned to become a Postman master! 😎</p><div class="kg-card kg-callout-card kg-callout-card-green"><div class="kg-callout-text">And to secure your GraphQL API, you should definitely try Escape by <a href="https://escape.tech/graphql-security?ref=escape.tech" rel="noreferrer">signing up for a free account</a> to test your GraphQL endpoints before committing.</div></div><figure class="kg-card kg-image-card kg-card-hascaption"><img src="https://media.tenor.com/images/f08c38415d7c47d76d6e9c86fb4123ab/tenor.gif" class="kg-image" alt="" loading="lazy" width="355" height="150"><figcaption><span style="white-space: pre-wrap;">Your GraphQL API with Escape.</span></figcaption></figure> </section> </article> </main> <aside class="read-more-wrap"> <div class="read-more inner"> <article class="post-card post "> <a class="post-card-image-link" href="/blog/webinar-recap-the-security-mistakes-everyone-makes-in-m-a/"> <img class="post-card-image" srcset="/blog/content/images/size/w300/2025/02/Webinar---Panels---1--min.png 300w, /blog/content/images/size/w600/2025/02/Webinar---Panels---1--min.png 600w, /blog/content/images/size/w1000/2025/02/Webinar---Panels---1--min.png 1000w, /blog/content/images/size/w2000/2025/02/Webinar---Panels---1--min.png 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/blog/content/images/size/w600/2025/02/Webinar---Panels---1--min.png" alt="Webinar recap: The security mistakes everyone makes in M&A" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/blog/webinar-recap-the-security-mistakes-everyone-makes-in-m-a/"> <header class="post-card-header"> <h2 class="post-card-title">Webinar recap: The security mistakes everyone makes in M&A</h2> </header> <div class="post-card-excerpt"> <p>Discover exactly how to avoid the common security pitfalls during M&A from our panel of experts, who are drawing from decades of experience in the field.</p> </div> </a> <footer class="post-card-meta"> <ul class="author-list"> <li class="author-list-item"> <a href="/blog/author/sanjana/" class="static-avatar"> <img class="author-profile-image" src="/blog/content/images/size/w100/2024/11/me.jpeg" alt="Sanjana Iyer" loading="lazy" /> </a> </li> </ul> <div class="post-card-byline-content"> <span class="post-card-byline-author"><a href="/blog/author/sanjana/">Sanjana Iyer</a></span> <span class="post-card-byline-date"><time datetime="2025-02-12">Feb 12, 2025</time> <span class="bull">•</span> 10 min read</span> </div> </footer> </div> </article> <article class="post-card post "> <a class="post-card-image-link" href="/blog/bright-security-vs-escape/"> <img class="post-card-image" srcset="/blog/content/images/size/w300/2025/02/Escape-vs-Bright-Security.png 300w, /blog/content/images/size/w600/2025/02/Escape-vs-Bright-Security.png 600w, /blog/content/images/size/w1000/2025/02/Escape-vs-Bright-Security.png 1000w, /blog/content/images/size/w2000/2025/02/Escape-vs-Bright-Security.png 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/blog/content/images/size/w600/2025/02/Escape-vs-Bright-Security.png" alt="Bright Security vs Escape" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/blog/bright-security-vs-escape/"> <header class="post-card-header"> <h2 class="post-card-title">Bright Security vs Escape</h2> </header> <div class="post-card-excerpt"> <p>Explore how Bright Security differs from Escape, weigh the advantages and disadvantages of both, and determine the best fit for your company.</p> </div> </a> <footer class="post-card-meta"> <ul class="author-list"> <li class="author-list-item"> <a href="/blog/author/alexandra/" class="static-avatar"> <img class="author-profile-image" src="/blog/content/images/size/w100/2023/09/profile.jpeg" alt="Alexandra Charikova" loading="lazy" /> </a> </li> </ul> <div class="post-card-byline-content"> <span class="post-card-byline-author"><a href="/blog/author/alexandra/">Alexandra Charikova</a></span> <span class="post-card-byline-date"><time datetime="2025-02-07">Feb 7, 2025</time> <span class="bull">•</span> 9 min read</span> </div> </footer> </div> </article> <article class="post-card post "> <a class="post-card-image-link" href="/blog/webinar-recap-sast-and-dast/"> <img class="post-card-image" srcset="/blog/content/images/size/w300/2025/01/SAST-and-DAST-webinar--2-.png 300w, /blog/content/images/size/w600/2025/01/SAST-and-DAST-webinar--2-.png 600w, /blog/content/images/size/w1000/2025/01/SAST-and-DAST-webinar--2-.png 1000w, /blog/content/images/size/w2000/2025/01/SAST-and-DAST-webinar--2-.png 2000w" sizes="(max-width: 1000px) 400px, 800px" src="/blog/content/images/size/w600/2025/01/SAST-and-DAST-webinar--2-.png" alt="Webinar recap: How to combine SAST and DAST for complete application coverage" loading="lazy" /> </a> <div class="post-card-content"> <a class="post-card-content-link" href="/blog/webinar-recap-sast-and-dast/"> <header class="post-card-header"> <h2 class="post-card-title">Webinar recap: How to combine SAST and DAST for complete application coverage</h2> </header> <div class="post-card-excerpt"> <p>Modern applications come with a whole host of challenges that legacy SASTs and DASTs simply cannot keep up with. If you want to be sure no vulnerabilities slip through the cracks in these applications, the key is combining a modern SAST and DAST. Why? Last week, Escape’s CEO Tristan</p> </div> </a> <footer class="post-card-meta"> <ul class="author-list"> <li class="author-list-item"> <a href="/blog/author/sanjana/" class="static-avatar"> <img class="author-profile-image" src="/blog/content/images/size/w100/2024/11/me.jpeg" alt="Sanjana Iyer" loading="lazy" /> </a> </li> </ul> <div class="post-card-byline-content"> <span class="post-card-byline-author"><a href="/blog/author/sanjana/">Sanjana Iyer</a></span> <span class="post-card-byline-date"><time datetime="2025-01-30">Jan 30, 2025</time> <span class="bull">•</span> 16 min read</span> </div> </footer> </div> </article> </div> </aside> </div> <footer class="site-footer outer"> <div class="inner"> <section class="copyright"><a href="https://escape.tech/blog">Escape - The API Security Blog</a> © 2025</section> <nav class="site-footer-nav"> <ul class="nav"> <li class="nav-get-a-demo"><a href="https://calendly.com/d/46g-xzy-dgw">Get a demo</a></li> <li class="nav-escapes-proprietary-business-logic-algorithm"><a href="https://escape.tech/blog/escape-proprietary-algorithm/">Escape's proprietary business logic algorithm</a></li> <li class="nav-best-practices"><a href="https://escape.tech/blog/tag/best-practices/">Best Practices</a></li> <li class="nav-case-studies"><a href="https://escape.tech/blog/tag/case-study/">Case Studies</a></li> <li class="nav-learn-how-to-test-your-graphql-apis"><a href="https://escape.tech/blog/testing-your-graphql-api/">Learn how to test your GraphQL APIs</a></li> <li class="nav-grpc-api-security"><a href="https://escape.tech/blog/how-to-secure-grpc-apis/">gRPC API Security</a></li> <li class="nav-how-to-use-graphql-with-postman"><a href="https://escape.tech/blog/getting-started-with-postman-graphql/">How to use GraphQL with Postman</a></li> <li class="nav-graphql-security"><a href="https://escape.tech/blog/tag/graphql/">GraphQL Security</a></li> <li class="nav-graphql-errors"><a href="https://escape.tech/blog/graphql-errors-the-good-the-bad-and-the-ugly/">GraphQL Errors</a></li> <li class="nav-graphql-armor"><a href="https://escape.tech/graphql-armor/">GraphQL Armor</a></li> <li class="nav-escape-community"><a href="https://join.slack.com/t/escapecommunity/shared_invite/zt-2cpklvqqv-m_h4fzlZhSatxcrxetf3Fg">Escape Community</a></li> <li class="nav-about-us"><a href="https://escape.tech/company/">About Us</a></li> <li class="nav-privacy-policy"><a href="https://escape.tech/privacy/">Privacy Policy</a></li> <li class="nav-api-security-academy"><a href="https://escape.tech/academy/">API Security Academy</a></li> <li class="nav-api-gateway-security-best-practices"><a href="https://escape.tech/blog/api-gateway-security/">API Gateway Security Best Practices</a></li> </ul> </nav> </div> </footer> </div> <script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"> </script> <script src="/blog/assets/built/casper.js?v=bdd0505571"></script> <script> $(document).ready(function () { // Mobile Menu Trigger $('.gh-burger').click(function () { $('body').toggleClass('gh-head-open'); }); // FitVids - Makes video embeds responsive $(".gh-content").fitVids(); }); </script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.28.0/components/prism-core.min.js" integrity="sha512-9khQRAUBYEJDCDVP2yw3LRUQvjJ0Pjx0EShmaQjcHa6AXiOv6qHQu9lCAIR8O+/D8FtaCoJ2c0Tf9Xo7hYH01Q==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.28.0/plugins/autoloader/prism-autoloader.min.js" integrity="sha512-fTl/qcO1VgvKtOMApX2PdZzkziyr2stM65GYPLGuYMnuMm1z2JLJG6XVU7C/mR+E7xBUqCivykuhlzfqxXBXbg==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/tocbot/4.12.3/tocbot.min.js"></script> <script> tocbot.init({ // Where to render the table of contents. tocSelector: '.gh-toc', // Where to grab the headings to build the table of contents. contentSelector: '.gh-content', // Which headings to grab inside of the contentSelector element. headingSelector: 'h1, h2, h3, h4', }); </script>  <noscript ><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-MDMBJH6V" height="0" width="0" style="display: none; visibility: hidden" ></iframe ></noscript>  <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/prism.min.js" integrity="sha512-hpZ5pDCF2bRCweL5WoA0/N1elet1KYL5mx3LP555Eg/0ZguaHawxNvEjF6O3rufAChs16HVNhEc6blF/rZoowQ==" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/components/prism-yaml.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/components/prism-bash.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script> <script src="https://cdnjs.cloudflare.com/ajax/libs/prism/1.25.0/components/prism-jsx.min.js" crossorigin="anonymous" referrerpolicy="no-referrer"></script>  <script type="text/javascript" id="hs-script-loader" async defer src="//js-eu1.hs-scripts.com/26857953.js"></script>  </body> </html>

CINXE.COM

How to use GraphQL with Postman