HMAC - SHA256 authentication via Postman

Question

I'm trying to simulate webhook POST request to my Rails app (which works well in a real workflow) by Postman. I found lots of examples but none of them work - I keep getting a 401 code. What I did is defined headers and Pre-request Script like below:

JS as Pre-request Script based on this docs

postman.setEnvironmentVariable("hmac", CryptoJS.HmacSHA256(request.data, 'my_secret_string').toString(CryptoJS.digest));

And still I'm getting the 401 error.

The external API docs which I use to trigger webhook clearly state:

Each webhook will be sent with the​ X-AQID-Signature​ header, which is created by hashing the request's payload with the HMAC method and SHA256 algorithm, using the shared secret as salt. This means that upon receiving a payload, you can verify its integrity by replicating the hashing method.

And like I said it works well in a real life workflow so I have an error in the postman implementation. What did I missed?

Answer 1

If you need Base64 encoded value, then you can do it as follows:

CryptoJS.HmacSHA256(pm.request.body.raw, 'YOUR_SECRET').toString(CryptoJS.enc.Base64);

Answer 2

You don't need to set any environment variable, you just have to add a header from your script. I did this in a very similar case:

var signBytes = CryptoJS.HmacSHA256(pm.request.body.raw, 'YOUR_SECRET');
var signHex = CryptoJS.enc.Hex.stringify(signBytes);
pm.request.headers.add({
    key: "HEADER_NAME",
    value: signHex
});