Feature Request: Persist Local Vault Secrets Per Account Instead of Deleting on Logout #14025
Description
Is there an existing request for this feature?
- I have searched the existing issues for this feature request and I know that duplicates will be closed
Is your feature request related to a problem?
Yes.
Postman currently deletes all secrets stored in the local vault when a user signs out of the application. This behavior appears intentional and is documented, but it creates significant friction for developers who legitimately switch between multiple Postman accounts on the same workstation.
A typical workflow looks like this:
- Log into Postman
- Create secrets in the local vault
- Sign out (for example due to switching organizations or accounts)
- Sign back in
- The vault is empty and all secrets must be recreated
This becomes especially problematic when developers:
- Switch between corporate and personal Postman accounts
- Work with multiple organizations
- Must log out due to SSO or credential refresh policies
This behavior has also been observed by other users (see related discussions such as Issue #13361: "Postman vault empty after Sign Out and Sign In").
Because vault contents are destroyed on logout, users are forced to repeatedly recreate secrets or rely on temporary external storage, which defeats part of the purpose of the vault.
Describe the solution you'd like
Instead of deleting vault contents on logout, Postman could maintain separate encrypted local vaults per Postman account on the same machine.
Under this model:
- Each Postman account would have its own encrypted local vault
- When a user logs in, Postman automatically loads the vault associated with that account
- Logging out does not delete the vault; it simply unmounts it
- Logging back into the same account restores the vault
Example behavior:
Current behavior:
- Login with Account A
- Create vault secrets
- Logout
- Login again
- Vault is empty
Proposed behavior:
- Login with Account A → Vault A loads
- Logout
- Login with Account B → Vault B loads
- Login again with Account A → Vault A is restored
Each vault would remain completely isolated and encrypted locally.
This preserves the security model while improving usability for multi-account workflows.
Describe alternatives you've considered
Current alternatives are limited and inconvenient:
- Re-enter all vault secrets every time a logout occurs
- Store secrets temporarily outside Postman
- Export and re-import vault data manually
There is also a related feature request (Issue #13317) proposing vault export/import, which could help mitigate the issue but still requires manual steps and does not solve the root workflow friction.
Maintaining separate local vaults per account would eliminate the need for these workarounds.
Additional context
This request is not intended to weaken Postman's security model.
Suggested safeguards could include:
- Vaults remain locally encrypted
- Vaults are strictly scoped to a specific Postman account
- No cross-account access to vault contents
- Optional auto-lock after inactivity
- Optional enterprise policy allowing administrators to enforce the current delete-on-logout behavior
In other words, the current behavior could remain the default or enterprise-enforced option, while developers working on trusted machines could benefit from account-scoped vault persistence.
Treating the vault as a locally encrypted resource attached to both the device and the active Postman account would better reflect real-world development workflows while preserving the intended security boundaries.