API client user agents (Postman, etc.)
Developers exercise APIs with tools like Postman, Insomnia, and HTTPie, each of which sends a recognisable default user agent (for example a PostmanRuntime token). Seeing these means someone is testing or scripting against your API, not browsing your pages. This page covers the patterns and how to read them.
Default tokens from API tools
API development and testing tools ship with their own default user agents. Postman sends a PostmanRuntime token, and other clients such as Insomnia and HTTPie similarly name themselves. These tokens mark a request made through an API tool rather than a browser.
Seeing them usually means a developer is testing endpoints, debugging an integration, or running a scripted collection against your API.
- Postman sends a PostmanRuntime token
- Insomnia, HTTPie and similar tools name themselves too
- Marks deliberate API calls, not browser page views
Reading API tool traffic
API client traffic is generally expected and benign — it is how integrations get built and tested. The token tells you the channel (a tool), not the intent; judge by rate, paths, and authentication rather than the string.
These defaults can be overridden, and automated collections can run unattended, so treat the token as a hint. Match on the stable tool token and confirm specifics against each tool's documentation.
How it appears in analytics and logs
A user agent naming an API tool (such as a PostmanRuntime token) indicates a person or script exercising your API through that tool. It is intentional API traffic, not a browser page view.
Diagnostic use case
Recognise API testing and client tools by their default tokens so deliberate API traffic is distinguished from browser visits and from background automation.
What WebmasterID can help detect
WebmasterID recognises common API client tokens server-side and classifies them as automation/tooling, separate from human analytics, with unknown clients kept in an honest bucket.
Common mistakes
- Counting API tool calls as browser page views.
- Assuming an API client token always means a human is actively testing.
- Expecting the default token when tools allow a custom user agent.
Privacy and accuracy notes
API client tokens name a tool, not a person. WebmasterID records such requests as bot/automation events, never as human profiles.
Related pages
- Java and OkHttp user agents
JVM HTTP clients send recognisable default user agents: Java's built-in URL connection uses a Java/version token, and the widely used OkHttp library uses an okhttp/version token. Both mark scripted or app traffic from the Java ecosystem, including many Android apps. This page covers the two patterns.
- curl, wget and script user agents
Command-line and library HTTP clients send a default user agent that names the tool: curl/x.y, Wget, python-requests, Go-http-client, and similar. These are scripts, not browsers, and seeing them is normal. This page explains the patterns and how to treat them without over- or under-reacting.
- Event explorer
Inspect individual requests and how they are categorised.
Sources and verification notes
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.