How to use the Postman Collection Inspector / Cleaner
Export a collection from Postman (v2.x) and paste it here to get an at-a-glance audit: every request across all folders, plus findings for hardcoded secrets, URLs with embedded credentials, disabled headers, duplicate requests, and unnamed requests. Then export a cleaned copy with secrets redacted before you commit or share it. Everything runs in your browser; nothing is uploaded.
What it does
- Flattens the folder/request tree and lists method + URL for every request.
- Flags secret-like values in headers and auth, and
user:pass@ URLs.
- Counts disabled headers and duplicate request names/URLs.
- Produces a cleaned collection: secrets →
{{REDACTED}}, optional disabled-header removal.
When to use it
- Before committing a collection to a shared repo.
- Auditing a teammate's or vendor's collection for leaked tokens.
- Cleaning up a sprawling collection with duplicates and dead headers.
- Preparing a collection to share publicly or in a bug report.
How to use it
- In Postman, export the collection as Collection v2.1.
- Paste the JSON here and review the summary and findings.
- Copy the cleaned collection (toggle disabled-header removal if you want).
Tips & pitfalls
- Secret detection is heuristic — review the cleaned output before trusting it.
- Replace hardcoded tokens with Postman variables (
{{token}}) and an environment for real reuse.
- Duplicate requests often mean a folder was copied — consolidate them.
FAQ
- What does the Postman inspector flag? It lists every request across folders and flags hardcoded secret-like values in headers and auth, URLs with embedded credentials, disabled headers, duplicate request names or URLs, and requests with no name.
- How does the cleaner redact secrets? It replaces secret-like header and auth values with the placeholder {{REDACTED}}, strips user:password credentials embedded in URLs, and can optionally drop disabled headers. Postman variables like {{token}} are left untouched.
- Is my collection uploaded anywhere? No. The collection is parsed, inspected, and cleaned entirely in your browser. Nothing is sent to any server.
Related guides
