Client Certificates for Mutual TLS
Some APIs require mutual TLS (mTLS), where the server also verifies a certificate presented by the client, not just the usual server certificate the client checks. In Postman, under Settings → Certificates, you add a Client Certificate by specifying the Host the certificate applies to, along with a CRT/PFX file and, if applicable, a private Key file and its Passphrase; Postman then automatically attaches that certificate whenever a request targets the matching host.
Cricket analogy: Mutual TLS is like a high-security match where not only does the ground staff check the broadcaster's credentials, but the broadcaster also verifies the ground's official accreditation stamp before setting up cameras — both sides confirm identity, not just one.
Settings > Certificates > Add Certificate
Host: api.partner-bank.example.com
CRT file: client-cert.pem
Key file: client-key.pem
PFX file: (leave blank if using CRT/Key pair)
Passphrase: ********SSL Certificate Verification
By default, Postman verifies that the server's TLS certificate is valid and trusted, matching normal browser behavior; this can be toggled globally under Settings → General → 'SSL certificate verification'. During local development against a self-signed certificate, it's more precise to disable verification for that one request via the lock icon in the request bar rather than disabling it globally, which would silently weaken security checks for every other request in the workspace, including ones hitting real production APIs.
Cricket analogy: Globally disabling SSL verification is like telling every gate steward at every ground on tour to stop checking accreditation badges, just because one small local ground's scanner is broken — it removes a safeguard everywhere, not just where it was actually needed.
Routing Through a Proxy
Corporate networks often require outbound HTTP(S) traffic to route through a proxy server for security inspection or access control; Postman configures this under Settings → Proxy, where you can add a custom proxy server with Host, Port, and optional authentication, or select 'Use the system proxy' to inherit whatever proxy is configured at the OS level. A common gotcha is that some corporate proxies perform TLS interception (installing their own CA certificate to decrypt and re-encrypt traffic), which means Postman must also trust that corporate root CA, added via Settings → Certificates → CA Certificates, or every HTTPS request will fail with a certificate validation error.
Cricket analogy: Routing all traffic through a corporate proxy is like every player's kit having to pass through a single central security scanner before entering the ground, rather than each player walking in through their own separate entrance.
Postman also supports a 'Proxy Bypass' list in the same Settings → Proxy screen, where you can exclude specific hosts (like localhost or an internal *.corp.example.com domain) from being routed through the configured proxy.
Disabling global SSL certificate verification should be treated as a temporary, local-development-only measure. Leaving it off exposes every request in the workspace, including ones against real production APIs, to man-in-the-middle risks without any warning in the UI once the toggle is off.
- Mutual TLS requires the client to present its own certificate; configure this under Settings → Certificates by mapping a CRT/Key or PFX file to a specific Host.
- Postman verifies server TLS certificates by default, matching standard browser behavior.
- Prefer disabling SSL verification for a single request via the lock icon over disabling it globally.
- Corporate networks may require routing through a proxy, configurable under Settings → Proxy with a custom host/port or 'Use the system proxy'.
- Proxies that perform TLS interception require their root CA certificate to be added to Postman's trusted CA Certificates.
- A Proxy Bypass list lets you exclude specific hosts, like localhost, from being routed through the configured proxy.
- Treat globally disabled SSL verification as a temporary local-dev setting, never a permanent workspace default.
Practice what you learned
1. What does mutual TLS (mTLS) require that standard TLS does not?
2. In Postman, how is a client certificate associated with a request?
3. Why is it preferable to disable SSL certificate verification for a single request rather than globally?
4. Why might Postman need a corporate proxy's root CA certificate added to its trusted CA Certificates?
5. What does the Proxy Bypass list in Postman's Settings → Proxy screen do?
Was this page helpful?
You May Also Like
Managing Secrets Safely
Learn how to store, share, and rotate API keys, tokens, and passwords in Postman using variable scopes, secret-typed variables, and Vault integration without leaking them into version control.
API Keys and Custom Headers
Learn how to authenticate requests using API keys and how to work with custom HTTP headers in Postman, including placement options and common conventions.
OAuth 2.0 in Postman
Understand the OAuth 2.0 authorization framework and how to configure grant types, token retrieval, and token refresh using Postman's OAuth 2.0 Authorization tab.