Postman

95 tools. 54 can modify or destroy data without limits.

10 destructive tools with no built-in limits. Policy required.

Last updated:

54 can modify or destroy data
41 read-only
95 tools total

Community server · catalogue entry verified 01/07/2026

How to control Postman ↓

What Postman exposes to your agents

Read (41) Write / Execute (44) Destructive / Financial (10)
Critical Risk

The most dangerous Postman tools

54 of Postman's 95 tools can modify, destroy, or commit something on every call — and an agent calls them with no built-in limits.

How to control Postman

PolicyLayer is an MCP gateway — it sits between your AI agents and Postman, and nothing reaches the server without passing your rules. These are the rules we recommend:

Deny destructive operations
{
  "delete_api": {
    "deny_if": [
      {
        "conditions": [],
        "on_deny": "Blocked by default. Requires approval."
      }
    ]
  }
}

Destructive tools should never be available to autonomous agents without human approval.

Rate limit write operations
{
  "add_api_collection": {
    "limits": [
      {
        "counter": "add_api_collection_per_hour",
        "window": "hour",
        "max": 30,
        "scope": "grant"
      }
    ]
  }
}

Prevents bulk unintended modifications from agents caught in loops.

Cap read operations
{
  "get_accounts": {
    "limits": [
      {
        "counter": "get_accounts_per_minute",
        "window": "minute",
        "max": 60,
        "scope": "grant"
      }
    ]
  }
}

Controls API costs and prevents retry loops from exhausting upstream rate limits.

  1. Create a free account and register Postman — nothing to install.
  2. Add these rules — paste them, or build them visually. Tune the limits to your setup.
  3. Point your MCP client (Claude, Cursor, anything) at your gateway URL.
ENFORCE POLICY ON POSTMAN →

Instant setup, no code required.

All 95 Postman tools

WRITE 43 tools
Write add_api_collection Add a collection to an API Write add_pan_element Add element or folder to Private API Network Write create_api Create a new API Write create_api_comment Create a new comment on an API (max 10,000 characters) Write create_api_schema Create a schema for an API Write create_api_version Create a new version of an API Write create_collection Create a new collection in a workspace. Supports Postman Collection v2.1.0 format. Write create_collection_folder Create a new folder in a collection Write create_collection_request Create a new request in a collection Write create_collection_response Create a new response in a collection Write create_environment Create a new environment in a workspace. Creates in Write create_mock Create a new mock server. Creates in Personal workspace if workspace not specified. Write create_monitor Create a new monitor. Cannot create monitors for collections added to an API definition. Write create_server_response Create a server response. Only one server response can be active at a time. Write create_update_schema_file Create or update a schema file Write fork_collection Fork a collection to a workspace Write fork_environment Create a fork of an environment in a workspace Write merge_collection_fork Merge a forked collection back into its parent Write merge_environment_fork Merge a forked environment back into its parent Write patch_collection Partially update a collection. Only updates provided fields. Write publish_mock Publish mock server (sets Access Control to public) Write pull_collection_changes Pull changes from parent collection into forked collection Write pull_environment Pull changes from parent environment into forked environment Write resolve_comment_thread Resolves a comment and any associated replies Write sync_collection_with_schema Sync a collection with its schema Write transfer_collection_items Transfer items between collections Write unpublish_mock Unpublish mock server (sets Access Control to private) Write update_api Update an existing API Write update_api_comment Update an existing API comment (max 10,000 characters) Write update_api_tags Update tags for an API Write update_api_version Update an API version Write update_collection Update an existing collection. Full collection replacement with maximum size of 20 MB. Write update_collection_folder Update a folder in a collection. Acts like PATCH, only updates provided values. Write update_collection_request Update a request in a collection. Cannot change request folder. Write update_collection_response Update a response in a collection. Acts like PATCH, only updates provided values. Write update_collection_roles Update collection roles (requires EDITOR role) Write update_environment Update an existing environment. Only include variables that need to be modified. Write update_mock Update an existing mock server Write update_monitor Update an existing monitor Write update_pan_element Update element or folder in Private API Network Write update_server_response Update a server response Write update_workspace_roles Update workspace roles for users and groups (limited to 50 operations per call) Write update_workspace_tags Update workspace tags
READ 41 tools
Read get_accounts Gets Postman billing account details for the given team Read get_api Get details of a specific API Read get_api_collection Get a specific collection from an API Read get_api_comments Get comments for an API Read get_api_schema Get a specific schema from an API Read get_api_schema_files Get files in an API schema Read get_api_tags Get tags for an API Read get_api_version Get a specific version of an API Read get_api_versions Get all versions of an API Read get_authenticated_user Get authenticated user information Read get_collection Get details of a specific collection Read get_collection_folder Get details of a specific folder in a collection Read get_collection_forks Get a list of collection forks Read get_collection_request Get details of a specific request in a collection Read get_collection_response Get details of a specific response in a collection Read get_collection_roles Get roles for a collection Read get_environment Get details of a specific environment Read get_environment_forks Get a list of environment forks Read get_mock Get details of a specific mock server Read get_mock_call_logs Get mock call logs. Maximum 6.5MB or 100 call logs per API call. Retention period based on Postman plan. Read get_monitor Get details of a specific monitor Read get_schema_file_contents Get contents of a schema file Read get_server_response Get a specific server response Read get_tagged_elements Get elements by tag Read get_task_status Get status of an asynchronous task Read get_user_info Get information about the authenticated user Read get_workspace Get details of a specific workspace Read get_workspace_roles Get roles for a specific workspace Read get_workspace_tags Get workspace tags Read health_check Perform a local system health check to verify Postman MCP server configuration and connectivity. Returns syste Read list_account_invoices Gets all invoices for a Postman billing account filtered by status Read list_apis List all APIs in a workspace Read list_collection_access_keys List collection access keys with optional filtering by collection ID Read list_collections List all collections in a workspace. Supports filtering and pagination. Read list_environments List all environments in a workspace. If workspace not specified, lists environments in Read list_mocks List all mock servers Read list_monitors Get all monitors Read list_pan_elements Get all elements and folders in Private API Network Read list_server_responses Get all server responses for a mock Read list_workspace_roles Get all available workspace roles based on team\ Read list_workspaces List all workspaces

Related servers

Other MCP servers with similar tools — same risk classification, starter policies for each.

Questions about Postman

Can an AI agent delete data through the Postman MCP server? +

Yes. The Postman server exposes 10 destructive tools including delete_api, delete_api_comment, delete_api_version. These permanently remove resources with no undo. PolicyLayer blocks destructive tools by default so they never reach the upstream server.

How do I prevent bulk modifications through Postman? +

The Postman server has 43 write tools including add_api_collection, add_pan_element, create_api. Set a rate limit in your policy -- for example, 10 calls per hour prevents an agent from making more than 10 modifications per hour. PolicyLayer enforces this at the gateway, before calls reach Postman.

How many tools does the Postman MCP server expose? +

95 tools across 4 categories: Destructive, Financial, Read, Write. 41 are read-only. 54 can modify, create, or delete data.

How do I enforce a policy on Postman? +

Register the Postman MCP server in PolicyLayer, apply the suggested rules above (adjust the limits to your use case), and point your AI client at the PolicyLayer proxy URL instead of the server directly. Your agents keep the same tools; PolicyLayer evaluates every call against policy before it executes. Nothing to install, live in minutes.

Enforce policy on every Postman tool call.

Deterministic rules across all 95 Postman tools. Per-identity grants. Full audit log. Live in minutes. Nothing to install.

Instant setup, no code required.

95 Postman tools catalogued and risk-classified — across an index of 43,000+ MCP servers.

// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.