We all know that if we want to consume SAP OData service to perform some write operation on server, that is, create, update or delete, it's necessary to get a CSRF token first and then append it as header field of the actual OData service call.

Previously I test such scenario using Postman, and I have to always do the following things manually:

1. fetch a valid CSRF token from server by specifying HTTP header field x-csrf-token's value as "fetch":

2. append this token to the header field of the second HTTP post request:

Then one of my colleagues inspired me: can all these boring steps could be finished automatically with a single click?

Yes! It could be just achieved by a little scripting in Postman itself.

1. Click this icon to open Environments maintain screen:

Create a new environment named "TokenSuite" and a variable "csrftoken" within it:

2. In the first token retrieve HTTP request, write the following simple script to parse the token from HTTP response and set it to the environment variable just created in previous step:

var token = postman.getResponseHeader("x-csrf-token");

console.log("token:" + token);



postman.setEnvironmentVariable("csrftoken", token);

3. In the second HTTP post request, just specify the actual value of token using grammar {{csrftoken}}:

Now click run button:

Collection Runner window is opened. Just press "Run CSRF token test":

And the two requests could be run one by one, the token retrieved by first request was automatically used in the second HTTP post request. Very convenient, isn't it?