Understanding query parameters and path variables in Postman

OK, so this is really a ‘note to self’ article that I’m keeping here for future reference. But this will hopefully also help you understand the difference between the query parameters and path variables in Postman and how to use either of these two options.

I recently got stuck in an API challenge on root-me.org for much longer than I should have. The challenge exposed the following endpoint: http://xxxxxxxx/api/user that returned some information on the logged-in user. The goal was to display the info of a different user.

I was working in Postman and the endpoint was only accessible with a GET request. POST, PUT and DELETE were disabled. So there was no way I could use the request body to pass parameters.

The documentation file (Swagger) that came with the API mentioned a parameter called user_id.

Using the query parameters

In the Params tab in Postman, there are two sections: Query Params and Path Variables.
Note that they don’t always appear together.

The Query Params section allows you to include a GET parameter. Enter the parameter name in the Key field and it’s value in the Value field.

You will see Postman adjusts the URL to include the GET parameter and its value as such:

Using the path variables

The path variables work differently. Add a parameter name in the URL path, preceded by a colon:

You will see Postman add this parameter name in the Path Variables section. When you add a value to this parameter and send the request through, Postman will include the value as such:

Closing thoughts

When you have identified a parameter that may be of use for a given endpoint, start by using it as a query parameter and test different values.

If that doesn’t work, use the parameter as a path variable and test the same values. It could just be as easy as that.

It was for me.


Hi! I'm a tech journalist, getting my feet wet in ethical hacking. What you will find here is me taking notes on the tools and techniques I’m learning and offering answers to the questions I had when I first got started not so very long ago.

Leave a Reply

Your email address will not be published. Required fields are marked *

Scroll to top