HMAC-SHA256 method to calculate the request signature

Help Hub
1

Hello, I’m trying to use the HMAC-SHA256 method to calculate the request signature, but I can’t figure out how. These are the instructions I have:

Each request must contain a minimum of 3 parameters required for authentication: user, institutionID, signature.

Signature calculation:

data = HTTP_REQUEST_METHOD + CRLF
institutionID + CRLF
RequestURI + CRLF
Dates

signature = HMAC-SHA256(data, password)

  • HTTP_REQUEST_METHOD: GET or POST
  • institutionID: institution ID in the system
  • RequestURI: requested resource (ex: “/users/”)
  • Date: CEST (UTC+2), in format YYYY-MM-DD HH:ii (current: 2023-02-13 20:19)
  • CRLF: Carriage return (char(13)) + Line feed (char(10))

Thanks in advance.

2

Hey there!

This request shows you how to encrypt and decrypt parameters using HMAC-SHA256:
https://www.postman.com/postman/workspace/postman-answers/request/18070393-cef8bd0f-11eb-4684-a724-f5c7a63a62d8

I’m not too sure about the rest of your instructions as they don’t seem specific to Postman, try to get it working in there and then let us know what issues you are facing. :slight_smile:

3

Thanks for the help, but I can’t figure out how to do it without getting the authorization faild error.

I have an example in Php of how to get the signature, if that helps:

$data =	'GET' . "\r\n" .
	'999' . "\r\n" .
	'/users' . "\r\n" .
	'2022-12-31 23:59';
$signature = hash_hmac('sha256', $data, 'password');

where is 999 - institution ID.

And the request should look like this: https://api.test.com/users?user=test&institutionID=999&signature=7e745d74b69b7f69da11deb4bc24adccb69bc28138c95947a56e35826c62e8e2

4

Hi,

From your PHP example, the logic itself looks correct. The most common reason for getting an “authorization failed” error with HMAC-SHA256 is a mismatch in the exact string used to generate the signature.

A few things to double-check:

  1. Make sure the line breaks are exactly \r\n (CRLF), not just \n. Even a small difference will produce a completely different hash.

  2. Confirm that the RequestURI matches exactly what the server expects (for example /users vs /users/).

  3. Ensure the date format is identical (YYYY-MM-DD HH:ii) and in the correct timezone (CEST UTC+2 as mentioned).

  4. Verify there are no extra spaces before or after any value when building the $data string.

You can also temporarily log or print the exact $data string before hashing and compare it character by character with what the API documentation expects.

With HMAC, even one invisible character difference will change the signature entirely, so precision is everything here.

Hope this helps you track down the issue