How else would they sync all of the shared stuff in your workspace? I'm more interested if they properly encrypt my data in transit and at rest and whether Postman employees have free access to our secrets.

I got a bulletin from our security team saying Postman stores it all in plain text on their servers. Unbelievable if true. Haven't used it since. They have all your passwords.

I had this gut feeling, but no way to check. The handling of secrets is not explicitly states, i.e probably bad.

I like the looks of httpie’s new desktop client but no idea if their secret handling is any better.

This is from their website: https://www.postman.com/trust/security/

> Depending upon its sensitivity classification, customer data is AES-256-GCM encrypted at the server-side before storage. Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords. We have also added sessions in the 6.2 release onwards of Postman. We recommend using session variables for any data that you do not want to be synced to Postman's servers.

> Depending upon its sensitivity classification

What does this mean?

> Postman environment variables are covered in this classification and we strongly encourage you to use them to store your authentication keys and passwords.

It reads to me that they encrypt Postman environment variables and encourage you to use those.

Not sure what else is "Customer data" in that regard but it seems they consider at least that bit worthy of encryption.

Here’s how we do it: https://httpie.io/blog/changelog-0017#data-security

Does anyone have a source for this? I need to present this to our team if it's true.

They sync everything. If you store stuff in collections, requests, or environments, it’s uploaded.

Presuming it’s end-to-end, but don’t know about at rest encryption