@Sempf Postman is private equity owned. Came due to finally make money. So without warning they neutered the local app from most core functionality and pushed it to the cloud. Old versions were removed from their downloads.
Gets better. Their export config to the cloud dumps all saved collections and credentials you previously had to a clear text JSON. Yes, the collections you can no longer access.
Many organizations store their API documentation on Postman, so a full block of the domain is problematic.
Blocking the login and identity page is effective. But if you didn't get on this early, devs are definitely using it today and have prod creds in the cloud. I considered using legal for a data deletion request for our domain.
Then their sales people will start hounding the org using SSO tax (they know you're out of compliance with regulators or your insurance) and how "in production" it's being used as leverage.
Also block postman on your SEG--fuck them.
And then devs will then come for you with pitchforks. A friend even overheard some badmouthing of my mitigations at a local watering hole near my $dayjob.