Postman Pre-Request OAuth Script
Recursive and automatic (zero click) OAuth 2.0 Authentication with Hover's API in Postman using a Pre-Request Script (PRS)
Written by Engineering Admin
Updated over a week ago

This tutorial will walk you through setting up the necessary environment variables, the initial OAuth 2.0 flow, and a pre-request script for automatic OAuth 2.0 authentication with Hover’s API in Postman. Before beginning this process, make sure you have the Hover API collection downloaded to your Postman workspace.

After the PRS has been set up and the initial access token is obtained, you should no longer need to refresh your access token after it expires; the script will handle this for you before every request in the Hover API collection.

Environment Variables

For the Hover Sandbox OAuth collection to work with this PRS, you will need to add the following Environment Variables (which are case sensitive). This same flow can be conducted on the Hover production environment by hanging the base URL variable to

  • url => (use for the production environment)

  • client_id => your app’s Client ID value

  • client_secret => your app’s Client Secret value

  • callback_url => (or another valid url of your choosing)

  • access_token => leave blank

  • refresh_token => leave blank

  • token_created_at => leave blank

Import Hover OAuth Collection

  1. On your Postman application, click the Import button

  2. Navigate to the Link tab and copy/paste the following collection into the Link Tab:

  3. Click Continue

  4. Confirm that the Import As value is set to Collection and click Import.

This collection includes three requests that will be used in subsequent steps to obtain your initial access token.

Obtain Initial Authorization Code

  1. Using the newly-imported collection, navigate to the GET Access Code request.

  2. On the right-hand side of your Postman application, click on the Code button to generate a code snippet of the request. For the programming language, select the cURL option.

  3. Copy the request URL that’s generated in this snippet to your clipboard

  4. Place the URL in your browser and submit the request.

  5. You may be asked to log into your HOVER account. Once logged in, you should be directed to a page that allows you to grant your application access to the HOVER APIs on your behalf. Click the Authorize button.

  6. You will be redirected to the site that you dictated as your redirect_url. Within the URL in your browser, your authorization code should be the final query parameter in the URL. Copy this value to your clipboard

Exchange Authorization Code for Access Token

  1. In Postman, navigate to the POST Get Access Token request from the [Sandbox] Hover OAuth collection.

  2. Under the Body tab in this request, place the code you obtained in the last step as the value for the code key.

Submit this POST request. In your environment variables, confirm that there are now values present for the following variables:

  1. access_token

  2. refresh_token

  3. token_created_at

Configure HOVER API Collection to work with script

  1. In the parent HOVER API collection, navigate to the collection’s Authorization tab. Under the authorization type selection menu, select Bearer Token.

  2. In the Token field, use your access token environment variable (using the double-bracket notation ⇒ {{access_token}} ).

  3. Click into the Pre-request Script tab and paste the code snippet below into the text box (comments and console.log actions can be removed, if you desire). Save your changes to the collection.

const url = pm.environment.get("url")

//obtain the current timestamp and round to the nearest minute
var currentTimestamp = Math.round( / 1000)

//get the current valid access token created_at timestamp
accessTokenCreatedAt = parseInt(pm.environment.get("token_created_at"));

//add 7200 to accessTokenExpireTime to equal the time at which the access_token will expire
accessTokenExpireTime = (accessTokenCreatedAt + 7200)

if (accessTokenExpireTime <= currentTimestamp) {
console.log("token expired")

url: pm.environment.get("url")+"/oauth/token",
method: 'POST',
header: {
'Accept': 'application/json',
'Content-Type': 'application/x-www-form-urlencoded'
body: {
mode: 'urlencoded',
urlencoded: [
{key: "grant_type", value: "refresh_token", disabled: false},
{key: "client_id", value: pm.environment.get("client_id"), disabled: false},
{key: "client_secret", value: pm.environment.get("client_secret"), disabled: false},
{key: "refresh_token", value: pm.environment.get("refresh_token"), disabled: false},
}, function (err, res) {
pm.environment.set("access_token", res.json().access_token);
pm.environment.set("refresh_token", res.json().refresh_token);
pm.environment.set("token_created_at", res.json().created_at);

else {
console.log("token not expired")

In conclusion, we've set up a Postman environment that interacts with Hover's API. We walked through the initial OAuth 2.0 authentication process and added a Pre-Request Script to the collection for indefinite authentication in this environment!

Did this answer your question?