OAuth 2 Authorization header

hi guys

can anyone help me, please.?

need to send a POST request with Authorization header

Website API docs says that:
All requests to resources (excluding the schema pages) must be accompanied by a correct Authorization header as per this specification. The header looks like this:

Authorization: MAC id=“your API key”, ts=“1325376000”, nonce=“random-string”, mac=“base64-encoded-hash”

So i created a variable in Pre-Request script (replaced real API to dummy API ):

pm.globals.set("authorization", [JSON.stringify({

 'MAC id':"5b256cdee0baa77d57a4406fe957787b", 

 'ts': pm.variables.get('ts'), 




and then add authorization variable as Access Token

Request isnt going through

Access Token is being read as {“MAC id”:“5b256cdee0baa77d57a4406de9888b”,“ts”:“1648775596200”,“nonce”:“126955720907400”,“mac”:“t3MRycjMO9hJdp9GmGKSlph4s15dKaTRKzDtLttjFfw=”}

as it was passed as an object (then json stringified)

Should it be passed exactly as docs say , so equal signs instead of colon?
MAC id=“your API key”, ts=“1325376000”, nonce=“random-string”, mac=“base64-encoded-hash”

I am not sure how can I achieve that. Is there a special method for that in postman?
or should it be passed a object, so something else is incorrect in my code?


Hi @smnkv

Looking at your token I suspect it should only be the base-64 encoded part that is used as the token (eg: t3MRycjMO9hJdp9GmGKSlph4s15dKaTRKzDtLttjFfw=).
The other info is usually just to help construct it.

Do you have a link to the documentation you are following?

And are you also passing the ‘authorization’ variable in the headers after you have set it here?

1 Like

Hi w4

Appreciate ur reply!

Thats the documentaion REST SMS API Documentation - Receive & Send SMS via REST API Online

Yep I am also passing the ‘authorization’ variable in the headers.

In regards to token - are u saying i just need to pass my 64 encoded var there? Ok i will try

hi again. If i use “mac” for token - it goes to Headers as authorization. So i cant this object in headers:
pm.globals.set(“authorization”, [JSON.stringify({

‘MAC id’:“5b256cdee0baa77d57a4406fe957787b”,

‘ts’: pm.variables.get(‘ts’),



but i think i need to use it.

Not sure I follow.

If you use the pre-req tab to save the above global variable, you can then use the value saved to your global ‘authorization’ variable by putting {{authorization}} in your key:value pair…

Like this;

Which API are you trying to call? is it a public API that we can see the documentation for?


Then I end up having 2 authorizations
Remember i suggested to use single value as token?

Also can I pls ask another question re encoding? It will be in my next post

Documentation states:
Once this string has been constructed, you must then hash it using the HMAC method, with your API secret (issued with your API key) used as the hash key. SMSGlobal uses the SHA-256 algorithm for hashing. It is recommended that you use a pre-existing library to calculate the hash, as it is quite calculated. Ensure the hash is output in binary, and not in hexadecimal. Once the hash is calculated, base 64 encode it and include it in the HTTP header.

Thats my code in Postman:
**pm.globals.set(“code”, CryptoJS.HmacSHA256(pm.variables.get(“longstring”), pm.variables.get(‘secretkey’))); **

pm.globals.set(“mac”, CryptoJS.enc.Base64.stringify(pm.variables.get(‘code’)));

However, i guess i need to convert “code” to binary. I know of toString(2) method but it doesnt work. So my question is - how can i convert hash output to binary?

re what API i am trying to call - I am trying to call API given to me by SMSglobal.

Documentation is here:


Copy the instructions from this GitHub repo.
I have just tried it with a free trial account and it looks like it works for me.
Be sure to add in your own API key and secret (I change the screenshot to *********).


thanks! I am actually trying POST request.

However, my code was incorrect as i didnt see the github docs

I just tried it and auth returns as unresolved var
var auth = ts + ‘\n’ + nonce + ‘\n’ + request.method + ‘\n’ + url[11] + (typeof url[13] !== ‘undefined’ ? url[13] : ‘’ ) + ‘\n’ + url[8] + ‘\n’ + (url[2] == ‘http’ ? 80 : 443) + ‘\n’ + ‘\n’;

Please, explain why do we need url[11], url[13] etc ?

Also i think we are missing Optional extra data. website docs says that:

Note that the optional extra data line is blank. Our API does not currently use this field, but it must be included in the hash as an empty string as per the OAuth 2 specification.

Please, also explain what is the purpose of this:

var urlRegex = /^((\w+):)?(//((\w+)?(:(\w+))?@)?([^/?:]+)(:(\d+))?)?(/?([^/?#][^?#])?)?(?([^#]+))?(#(\w))?/;
var url = urlRegex.exec(request.url);

var urlRegex = /^((\w+):)?(//((\w+)?(:(\w+))?@)?([^/?:]+)(:(\d+))?)?(/?([^/?#][^?#] *)?)?(?([^#]+))?(#(\w* ))?/;

This is the Regular Expression that will be used to search for matches.

var url = urlRegex.exec(request.url);

The exec() method executes a search for a match in a specified string. Returns a result array, or null.

url[11] and url[13] (also [8] and [2]) are matches found by the .exec search, as mentioned above the results get saved into an array.

The best way to follow this would be to get some debugging into your script.
console.log(); would be suitable like this;

Here is a GET working with this above info;

And here is a POST working with this above info;
Note - I added the POST param as a JSON body.

thanks! I just cant get why do we need to search for matches? docs on the website doesnt say anything about that.
Why cant we just use these:
pm.globals.set(“httpreqmet”, “POST”);

pm.globals.set(“httprequri”, “/v2/sms”);

pm.globals.set(“httphost”, “api.smsglobal.com”);

pm.globals.set(“httpport”, “443”);

I guess it’s because the URL can change between diferent API calls, and the RegEx checks certain things to alter the input. For example;
(typeof url[13] !== 'undefined' ? url[13] : ''
This will check if the value is not equal to ‘undefined’
and will choose to use either ‘url[13]’ value or ‘’ (blank).
So it’s building the values dynamically based on what was used within the URL.

You could hard code it, but there could be some instances where the wrong value is being passed (because its static).

hi man! can u pls help me here ?