ForAllSecure Blog

Fuzz test your API with Mayhem and Postman

James Kessler
October 12, 2022

Previously, we talked about what fuzz testing is and how Mayhem can read a Postman collection. In this post, we'll look at how we've enhanced our Postman integration.

Mayhem compliments Postman tests with security tests for all of the edge cases your tests do not cover. Ultimately, if your Postman request works, we want Mayhem to just work.

Getting Started

In addition to reading from an exported collection, Mayhem can now read Postman collections from the Postman API. Exporting and hosting a postman collection file is no longer necessary. You will need to create an API key in Postman.

Try running the demo yourself against the Pet Store API:

mapi run \
--url \
--postman-api-key PMAK-XXXXXX \
postman-integration-demo 30 \

You will soon notice that the Petstore API has some problems. Some of the endpoints are crashing when the request is mutated, and are returning 500 errors. Also an endpoint accepted a POST, which was unexpected since it is not part of the Postman collection.

Mayhem is capable of causing and detecting many other types of issues, and informs you of how to reproduce the issue it found.

To run against your own collection, you will need the id of your Postman collection. Then run Mayhem to see how your own API does:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
your-target-name 30 \


If the API you are testing requires authentication, you probably already have that configured in your Postman collection. Mayhem now has the capability to leverage your collection’s settings.

We now support API Key, Bearer Token, Basic Auth and OAuth 2.0. Note that for OAuth 2.0, the access token must be synced in order for Mayhem to pick it up.

Supplying Mayhem with authentication arguments overrides all Postman authentication.


Grouping variables by environment is a great way to reuse the same requests against different environments in Postman. Mayhem is now capable of reading the variable values from environments. Look up the ID of your environment, and then run Mayhem:

mapi run \
--url TARGET_URL \
--postman-api-key PMAK-XXXXXX \
--postman-environment POSTMAN_ENVIRONMENT_ID \
your-target-name 30 \

Secret environment variables are never sent from Postman to Mayhem, so their values will not be available to or inspected by the fuzzer.


The more complete a Postman collection is, the better results you will get out of Mayhem. Sometimes it is necessary to tune up a Postman collection with an erroneous configuration. To make this simpler, Mayhem tracks the Postman requests folder, name and id while fuzzing. If an issue is found, this information is attached to the issue and can be found in Mayhem.

Try Mayhem for free!

In addition to the improvements above, we have made a number of improvements internally to improve the fuzzing engine’s performance against Postman collections. Try Mayhem out for free against your own Postman collections today at Mayhem for API!

Complete API Security in 5 Minutes

Get started with Mayhem today for fast, comprehensive, API security. 

Get Mayhem for API Free

Stay Connected

Subscribe to Updates

By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement.