SharePoint Online – CRUD operation on SharePoint list using REST API and Postman Client) – Part 1


In this article, we will go through the steps and know how to perform CRUD operation on a SharePoint list using REST API and Postman client.


  1. SharePoint Online Tenant
  2. Postman API Client
  3. SharePoint REST API (List end point)

Postman API Client:

Postman is an API development/testing environment. It was designed from the
ground up, to support all aspects of API development. For a SharePoint app/add-in developer, this is a very useful tool for testing REST endpoints and performing CRUD operations long before the actual App is developed.


Fig 1 : builder tab

Let’s get to the steps…

Step-1: Create Collection in Postman

First, we need to create a Collection in Postman. This newly created collection will hold
all the files for authorization as well as GET, POST, PATCH and DELETE methods.

How to Create Collection:
To create new collection, click on New button and then click collection. Then it will ask
for details in a popup.


Fig 2: Menu – new collection

In the popup, we need to provide collection name and description.


Fig 3 : Create a new collection dialog

Once we provided the required information it will show up under the collection tab.


Fig 4 : Collection tab

Step-2: Create folder in Postman

After creating collection, we need to create folders under the collection. It will help us
to organize our files easily.

How to create a folder:
To create a folder, first select the collection that is created in previous step, go to the
menu 2.png of the collection and click on “Add Folder”.


Fig 5: Creating folder

Follow the above steps and create two folders under collection such as,

  1. Authorization (For files related to authentication)
  2. Request (For files related to request such as get, post, patch and delete)

Note: This is not mandatory to name as per the folder names suggested above. You can name these folders as per your requirement. Since there will be many files, I chose to have tow folders one for authorization and another for CRUD.

Step-3: Authorize Postman to access SharePoint

To get authorized from external system, we should pass access-token value as a
request header along with the REST API URL. Before that we must get the access-token, for that we should generate Client Id and Secret information from the site by registering as an App/Add-In in SharePoint site. This is same as like registering add-in for Provider Hosted Add-In. For authorization, we will require following codes. In further steps, we will go through the steps how to get these steps.

  • Client ID
  • Client Secret
  • Bearer Realm and Bearer Client ID
  • Authorization Code (IF we are implementing Refresh Token)
  • Access Token
  • Refresh Token

# Register Add-In/App:
On initial stage, we must register the Add-In in SharePoint, where we want to access
the information. Follow the steps below to register the Add-In in SharePoint site.

  • Navigate and login to SharePoint online site.
  • Then navigate to the Register Add-In page by entering the URL as

E.g. https://<sharepoint_tenant_name&gt;<site_collection_name>/_layouts/15/appregnew.aspx

Here click on generate button to generate Client ID and Client Secret.


Fig 6 : Generating Client Id and Client Secret

Provide following files as follows

  • Title – Title of the app, I our case it is “PostmanApp”
  • App Domain – In our case provide it as “localhost”
  • Redirect URI – In our case it should be “https://localhost/”

After providing all required information click Create button. Once the app is registered it will returns the response as follows.

Client Id: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Client Secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Title: PostmanApp
App Domain: localhost
Redirect URI: https://localhost/

Note: It is very important that, the redirect URI should be “https” protocol. If http is given, then it might cause issues while redirecting to localhost.

# Grant Permissions to Add-In
Once the Add-In is registered, we have to set the permissions for that add-in to access
the SharePoint data. We will set the Read/Write/Manage/FullControl permission level to the web scope, so that we will be able to access the web content and information. Please find the links at reference section in this document for details for permission level.

  • Navigate to the SharePoint site
  • Then enter the URL in following format in the browser. This will redirect to Grant
    permission page where we will get “Authorization Code” which will be required for
    Refresh Token and Access Token.

URL syntax e.g.
scope=Web.Manage&response_type=code &redirect_uri=https://localhost/


  • client_id – client id we obtained while registering the app.
  • scope – Web.Read (Read/Write/Manage/FullControl)
  • response_type – It should be code. It will return an authorization code.
  • redirect_uri – The redirect uri we have provided while registering the app.

Fig 7 : App authorization

Now click Create button. This will redirect uri we have given while resisted the app.


Fig 8: response code 

Here we have to copy the code we got in response. This code will be required for obtaining the Refresh token which interns will be required for obtaining Access Token.

  • If we want to access site collection or site level, we have to add the scope
  • Sometimes there is an issue in redirecting. If it didn’t redirect properly then remove
    redirect_uri parameter.

# Retrieve the Tenant ID (Bearer Realm)

Once we registered the Client Id and Secret with the permissions, we are ready to access the SharePoint information from external system or tools. At first, we have to know the Tenant ID/Bearer Realm. Follow the below steps to obtain that information from postman. Postman helps to get the tenant Id by requesting the below URL with Authorization header.

  • Launch Postman.
  • Enter the below URL in the “Request URL” textbox https://<sharepoint_tenant_name&gt;<site_collection_name>/_vti_bin/client.svc/
  • Select the method as Get.
  • In Headers provide Key as Authorization and value as Bearer and click Send button.


This is one time process and returns bearer information in header (Fig 9). Once we get the bearer realm it can be reused.


Fig 9: bearer realm and client ID

Now save this named as STEP-1 Bearer Realm under Authentication folder in our collection.


Fig 10: Save request

End of Part 1

The next part of this blog describes how to Obtain Tokens (Refresh Token & Access Token)

Thanks for reading 🙂

Keep reading, share your thoughts, experiences. Feel free to contact us to discuss more. If you have any suggestion / feedback / doubt, you are most welcome.

Stay tuned on Knowledge-Junction, will come up with more such articles

You may also like...

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: