I was forking the “Microsoft Graph” collection on Postman recently, following the Use Postman with the Microsoft Graph API article.

Instead of clicking the link provided in the article, I made a quick search from the Postman app directly.
I could not believe my eyes…
I got a lot of results….

What’s so shocking about it?

It means that there are a lot people who forked the collection to a public workspace. Most of these public workspaces also contain (publicly available) environments. They are used to store all the details needed to authenticate: tenant ID, client ID and secret.

I am not sure it’s a great idea. 🙈

Please don’t do it.

Please ask your colleagues not to do it.

You may think nobody cares and nobody will notice, but… I did notice. And it’s not my job to hack people. But there are companies who do it for a living, professionally, and chances are they do pay close attention to our actions.
Don’t make their life so easy.