DEV Community

Cover image for APIDOG May Updates: Smarter Postman Migration, Auth Security Controls, and Non-Root Runner
Hassann
Hassann

Posted on • Originally published at apidog.com

APIDOG May Updates: Smarter Postman Migration, Auth Security Controls, and Non-Root Runner

⭐ May is a practical release focused on reducing setup work after migration, strengthening enterprise authentication security, and making everyday API debugging outputs more complete.

Try Apidog today

When teams move API work between tools, the import step is only the start. The real cleanup usually happens afterward: fixing base URLs, reconnecting environments, adding auth to generated snippets, and making runners comply with infrastructure policies.

This May release focuses on those implementation details:

  • Smarter Base URL mapping during Postman import
  • Enterprise Policies starting with Auth Security controls
  • Spec-First Mode without required Git binding upfront
  • Runner support for non-root execution
  • Generated request code with configured authentication
  • Better cURL output, test synchronization, and Mock data generation

⭐ New Updates

📦 Import Postman Data with Smarter Base URL Mapping

When you import Postman data into Apidog, Apidog can now detect shared Base URLs more intelligently and map them to the matching module Base URL field across environments when detection is reliable.

Postman Base URL mapping

For teams migrating from Postman, this removes a common manual step after import.

Before Now
Import collections from Postman. Import Postman files or use the Postman API import path.
Manually inspect request URLs. Apidog detects shared Base URLs when it can do so reliably.
Fill in module Base URLs for each environment. Detected values are placed in the matching module Base URL field.
Fix broken requests before testing. Imported requests are easier to run immediately.

This works for both local Postman file import and import through the Postman API. If request URLs contain a clear shared address or recognizable variable, Apidog attempts to extract the usable Base URL and place it in the related environment configuration.

🛡️ Enterprise Policies Starts with Auth Security Controls

Apidog is introducing Enterprise Policies as an organization-level governance framework. The first supported area is Auth Security.

Auth Security helps reduce credential exposure in authentication configuration. Organization admins can define rules for sensitive auth fields, such as encouraging or requiring credentials to be stored as variables or Vault Secrets instead of raw values.

For Vault Secrets, teams can also prevent plain-text reveal in the UI. Members can still reference the secret when sending requests, but the value is not casually exposed through an eye icon or during screen sharing.

🔒 Use this when your team needs authentication governance without turning API debugging into a separate security workflow.

📝 Spec-First Mode No Longer Requires Git Setup First

You can now create a Spec-First project without binding a Git repository first. After creating the project, you can add or import an OpenAPI file when you are ready.

Spec-First Mode without Git binding

This makes it easier to evaluate an OpenAPI-centered workflow before committing to a repository structure.

A practical rollout path could look like this:

  1. Create a Spec-First project.
  2. Import or create an OpenAPI file.
  3. Review the workflow with your team.
  4. Bind Git later when the repository structure is ready.

ℹ️ This is useful for teams collecting early feedback before standardizing their spec repository workflow.

🔒 Runner Can Now Run as a Non-Root User

Runner now supports running as a non-root user.

This matters for stricter server, container, and CI/CD environments where root execution is discouraged or blocked by policy. You can deploy Runner with a smaller permission footprint while keeping the same testing workflow.

Example use cases:

  • Running API tests inside locked-down containers
  • Executing Runner in CI/CD environments with restricted permissions
  • Aligning Runner deployment with internal security requirements

✅ This update helps teams keep automated API testing compatible with stricter infrastructure policies.

🔐 Generated Request Code Can Include Authentication Information

When generating request code from an API request, Apidog can now include authentication information that has already been configured.

Generated request code with auth

That makes generated snippets closer to runnable examples. Instead of exporting a request and then manually adding tokens, headers, or other auth parameters, developers can start from a more complete snippet.

Use this when you need to:

  • Verify an API call quickly
  • Share a runnable request example with teammates
  • Paste a request into another debugging tool
  • Reproduce an authenticated request outside Apidog

✅ Optimizations

🧩 CLI Script Execution Is Now More Restricted

To reduce script execution risk, the CLI now only allows scripts from the External Programs directory to be called.

If your team uses CLI scripts in automation flows, check whether existing script paths match the new execution rule.

Recommended check:

# Review automation scripts that call external programs
# Confirm they are located under the allowed External Programs directory
Enter fullscreen mode Exit fullscreen mode

This tighter boundary helps reduce accidental or overly broad script execution while keeping intended external-program workflows available.

📋 Copied cURL Commands Include More Request Configuration

Copied cURL commands now include configured Header and Body parameters more reliably.

This makes the copied command closer to the request configured in Apidog.

Typical use cases:

# Paste into a terminal for quick debugging
curl ...

# Share with a teammate to reproduce an issue
curl ...

# Add to an incident or troubleshooting note
curl ...
Enter fullscreen mode Exit fullscreen mode

The goal is less manual cleanup after copying.

🧪 Automated Test Steps Stay in Sync After Method Changes

When an endpoint method changes from GET to POST, PUT, or another method, related automated test steps now synchronize the updated configuration more accurately.

This reduces mismatches caused by stale request method information.

Example workflow:

  1. Update an endpoint method.
  2. Review related automated test steps.
  3. Run the test scenario.
  4. Confirm the request method is synchronized correctly.

This makes automated test results easier to trust after endpoint changes.

🎲 More Reliable Mock Data Generation

This release fixes several Mock data generation issues, including:

  • Multiplier rules
  • arrayElements expressions
  • Batch generation when JavaScript generation and Mock generation are used together

For frontend-backend integration, bulk test data generation, and automated testing, Mock output should now be more stable and closer to the rules you configured.

🐞 Bug Fixes and Smaller Improvements

This release also includes several fixes and quality-of-life improvements:

  • Fixed an issue where shared documentation request parameters did not show default examples.
  • Fixed an issue where exporting a project with only Markdown documents and no endpoints could fail.
  • Fixed several Mock data generation issues, including batch generation when JavaScript generation and Mock generation were both used, number multiplier rules, and arrayElements min and max expressions.
  • Fixed an issue where project overview fixed links could return a 500 error after opening links from different projects in sequence.
  • Fixed an issue where the interface could show Error: Cannot read properties of null (reading 'nullable') in some cases.
  • Fixed a contrast issue where selected example names in shared documentation could be hard to read in light theme.
  • Fixed an issue where Windows users could not use AI Agent Debugger normally.
  • Fixed an issue where a form-data body field with multiple uploaded files would show only one file after opening batch edit and saving.

🌟 What This Means for API Teams

May’s updates are focused on reducing small but expensive sources of workflow friction.

Area What improves Why it matters
Postman migration Shared Base URLs are mapped when Apidog can reliably detect them. Less manual cleanup after importing collections and configuring environments.
Runner deployment Runner can run as a non-root user. Better fit for stricter server, container, and CI/CD policies.
Enterprise security Enterprise Policies starts with Auth Security controls. Admins can reduce raw credential exposure in authentication workflows.
Spec-first workflows Spec-First projects no longer require Git binding before use. Teams can try OpenAPI-centered work before setting up a repository workflow.
Request sharing Generated code and cURL outputs include more of the configured request. Examples are easier to run, reproduce, and share.
Testing and Mocking Test steps synchronize more accurately and Mock generation is more stable. Teams spend less time chasing configuration drift and unexpected test data.

The common theme is straightforward: fewer manual fixes, safer defaults, and outputs that better match the request configuration you already built.

💬 Join the Conversation

Connect with fellow API engineers and the Apidog team:

  • Join our Discord community for real-time discussions and support.
  • Participate in our Slack community for technical conversations.
  • Follow us on X (Twitter) for the latest updates.

P.S. For the full details on all updates, check the Apidog Changelog!

Best Regards,

The Apidog Team

Top comments (0)