Access SharePoint Online REST API via Postman with User Context


SharePoint Online(SPOL) allows remote applications to call the REST API with user impersonation. This article demonstrates how to access SPOL REST API and to the data from a SharePoint list in a tenant using Postman. However, outside of .NET the authentication piece is not so straightforward. App authentication solves this issue for registered apps but in this article you will see how remote user authentication can be achieved, regardless of platform.

The goal of this article is to provide examples of the HTTP requests which need to be made in order to authenticate SharePoint Online. It then provides an example of using the same technique to read data from a SharePoint list just to make sure it all works.


To play with this POC, you need the following:

Note: If you already have a subscription, you can use an existing account from your Office 365 subscription.

  • A SharePoint List with some data.
  • To send HTTP requests I am going to use Postman. Click here to go through Postman Getting Started details.
  • Fiddler to trace / debug

Note: The type of applications where this kind of approach may be necessary include: Java, PHP, or Informatica.

  • Keep the Chrome Browser and Fiddler Running for this POC. But you don’t need to login to SharePoint.

Steps Invovled

Before we read the data from SPOL, The REST API authentication piece comes in a few steps:

  • Generate Security Token
  • Generate Access Token
  • Get Request Digest

Generate Security Token

The first step is to provide a username and password of a user with Read access to the SharePoint List and the URL at which we want access to the SharePoint Online Security Token Service.

This is done by sending a POST request with the following XML as the request body to the URL


Note: Replace the following values with your data.

[User Name] – SPOL Account Username (example:

[Password]     – SPOL Account Password

[SharePoint Site URL] – SharePoint site URL where your list exists

Postman Configurations


(Request Body)


(Request Header)

Set Content-Type to application/x-www-form-urlencoded

Now hit Send button to view the Response. Your HTTP Response should be something like this:



Note down the security token value inside the wsse:BinarySecurityToken tag.

Important Note: If you get “Direct login to WLID is not allowed for this federated namespace”error, you have to follow different steps. Please refer the C# code for the tenants connected with ADFS.

Generate Access Token

Once the security token has been generated it must be used to fetch the access token. We can do this by sending a POST request to the following URL with the security token in the request body:

Postman Configurations


(Request Header)


(Request Body)

Now hit Send button to view the Response. Your HTTP Response should be something like this:

The response for this request contains some Cookies which must be passed as headers with all upcoming requests. Note down the values of the rtFa and FedAuth Cookies.



Get Request Digest

The request digest is a feature that ensures requests are coming from a single session. It must also be included with any POST requests.

We can get the request digest value by sending a POST request to the below URL:

Add rtFa and FedAuth Cookie values as headers with the request.

Postman Configurations


(Request Header)

Now hit Send button to view the Response. Your HTTP Response should be something like this:


(Request Response)

Note down the security token value inside the d:FormDigestValue tag including date and time zone values.

Read Data from SharePoint List

Now we are going to pass the d:FormDigestValue along with rtFa and FedAuth Cookie values in header section to access the SharePoint list via List REST API endpoint as shown below:

Postman Configurations


(Request Header)


(Request Response)

As you can see, we are able to read the SharePoint list data via REST API without login to SharePoint site in the browser.

Now you can try to mimic the same process in your own server-side language which supports web requests and work against SharePoint Online. The C# version of the same concept can be found here.

Issues Faced

If you are not able to generate REQUEST DIGEST value, follow the below article:

403 Forbidden from /_api/contextinfo when using Chrome Postman REST App