If I try to create new Smart Collection using Postman I'll get response below. Same for prepending username:password@ to the hostname in the URL or for the credentials in the Authorization header. I'm using the Authorization header and I haven't had a problem with that yet.
It only works if I use X-Shopify-Access-Token request header.
Solved! Go to the solution
This is an accepted solution.
I'd guess you're sending cookies in the request. If you're using the web version of postman you can not control that but the desktop version will let you delete them. It will work then but post back here if it doesn't. The block is intentional and for good security.