Testing a B2C secured Web API using Postman

In my post yesterday on Securing a Web API, I asked how might I test my API after securing it, since I didn’t have a client app created yet.

Of course, there is a way using Postman.

I’ve mentioned previously how to use the “run now” policy feature to test your policy and review your tokens. That previous blog post used a web application. Today’s blog posts uses a native app as the selected application.

Go to your B2C_1_SiUpIn policy:

  1. Under Select application, chose Hello API WPF App. 
  2. Under Select reply url, choose the https url
  3. Expand Access Tokens and under Select resource, select Hello API (or whateer name you gave your API from yesterday’s blog post). Make sure all the scopes are selected.

Here’s what my Run Policy Settings look like.

Sign Up or Sign In policy run now page
Click Run now. You’ll see a new browser tab appear. Copy the resulting URL and open up your favorite flavor of notepad.

access token in the reply url

Make sure you only copy the access token and none of the other parameters that come after the access_token. This had me scratching my head for a good half-hour.

Open up https://jwt.ms and paste in the access token to confirm it all looks good and contains the claims you’re Hello API is expecting, e.g. “read”

reviewing scopes in jwt.ms

Next, fire up Postman. Also, make sure your Hello API project is running 🙂

I’m still new to Postman, so YMMV. If you have a different way of using Postman for this scenario, please let me know!

  1. Choose GET and insert the URL for your Hello API /hello endpoint.
  2. Under Headers, type in Authorization
  3. For its value, type in Bearer then the access token.

Postman with a bearer tokenAnd if all is setup correctly, you’ll get the expected response!

I’m still working on a blog post on how to debug all these steps for creating a client application and an API for use with B2C. Stay tuned!

9 thoughts on “Testing a B2C secured Web API using Postman

  1. “Make sure you only copy the access token and none of the other parameters that come after the access_token. This had me scratching my head for a good half-hour.”

    I don’t get an extra parameters… I’m curious… What other parameters do you get?


  2. With the help of Chris Padgett, I got the request access token from postman working. IHMO, this approach is much cleaner. And once you get it working, much quicker. Reference: https://stackoverflow.com/questions/47275079/request-access-token-in-postman-for-azure-ad-b2c#answer-47564076

    Perhaps you could explore that area some more? For example, there are 4 grant types in postman. I think we’re interested in Auth Code and Implicit with B2C but I’m not sure.


  3. Hi Sara,
    In case you have a public facing API and you have number of clients consuming it, how do you get client (username) based token?



  4. Hi Adeel – you should post a question stack overflow and tag it w/ “azure-ad-b2c”. Can you elaborate what you mean by client (username) based token?

    Since you’re talking about an API it sounds like your asking “how can a headless process obtain an access token that will allow it to call the web api”?


    1. Hi Sara,

      I have an api which is secured by ad-b2c and I have 5 external clients consuming my api. I have registered these clients to b2c by creating 5 users. Now from their application, they want to consume my API. As you said, how would they obtain an access token? Since they are 2 different applications, I am assuming they will use some sort of unique keys/tokens.

      Like the conventional way is to provide usernames and api keys to authenticate.


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s