HTTP Client Crypto API reference

The crypto object provides access to the HTTP Client Crypto API, which lets you use cryptographic hash functions, RSA, and HMAC to generate HTTP signatures. You can then use these signatures as variables in pre-request scripts to sign your HTTP requests.

The crypto accepts a method that can be either one of the hash functions (sha1, sha256, sha512, md5), HMAC, or RSA.

Hash methods

Method	Parameters	Description
`updateWithText`	`textInput` (string) `encoding` (string): the encoding of `textInput`. Default is `UTF8`.	Updates a string to be transformed to a hash.
`updateWithHex`	`hexInput` (string)	Updates a hexadecimal string to be transformed to a hash.
`updateWithBase64`	`base64Input` (string) `urlSafe` (boolean): enter `true` if the string is encoded using the URL-safe variant of Base64.	Updates a Base64 string to be transformed to a hash.
`digest().toHex()`	—	Generates a hash and convert it to the hexadecimal format.
`digest().toBase64()`	`urlSafe` (boolean): enter `true` if you want to use the URL-safe variant of Base64	Generates a hash and convert it to the Base64 format.

HMAC methods

The crypto.hmac object enables you to use HMAC to sign HTTP requests. It has access to all hash methods to generate hashes but also has methods to get the secret part of the token.

Method	Parameters	Description
`withTextSecret`	`textSecret` (string) `encoding` (string): the encoding of `textSecret`. Default is `UTF8`.	Puts the secret key to be used in HMAC.
`withHexSecret`	`hexSecret` (string)	Puts the secret key in the hexadecimal format.
`withBase64Secret`	`base64Input` (string) `urlSafe` (boolean): enter `true` if the string is encoded using the URL-safe variant of Base64.	Puts the secret key in the Base64 format.

Method

Parameters

Description

withTextSecret

textSecret (string)

encoding (string): the encoding of textSecret. Default is UTF8.

Puts the secret key to be used in HMAC.

withHexSecret

hexSecret (string)

Puts the secret key in the hexadecimal format.

withBase64Secret

base64Input (string)

urlSafe (boolean): enter true if the string is encoded using the URL-safe variant of Base64.

Puts the secret key in the Base64 format.

Example:

            < {%
                const signature = crypto.hmac.sha256()
                    .withTextSecret(request.environment.get("secret")) // get variable from http-client.private.env.json
                    .updateWithText(request.body.tryGetSubstituted())
                    .digest().toHex();
                request.variables.set("signature", signature)

                const hash = crypto.sha256()
                    .updateWithText(request.body.tryGetSubstituted())
                    .digest().toHex();
                request.variables.set("hash", hash)
            %}
            POST https://httpbin.org/post
            X-My-Signature: {{signature}}
            X-My-Hash: {{hash}}
            Content-Type: application/json

            {
            "prop": "value"
            }
        

RSA methods

The crypto.subtle interface enables you to use RSA cryptography in pre-request scripts. The HTTP Client supports the Web Crypto API, which provides standard cryptographic functions such as key generation, encryption, decryption, digital signing, signature verification, and more.

Method	Parameters	Description	Algorithm
`encrypt`	`algorithm` (object): specify the encryption algorithm and its parameters. The exact object structure depends on the algorithm in use. `key` (object): specify the `CryptoKey` containing the key for encryption. `data` (`TypedArray`)	Encrypts the provided data using the specified algorithm and key.	RSA-OAEP
`decrypt`	`algorithm` (object): specify the decryption algorithm and its parameters. The exact object structure depends on the algorithm in use. `key` (object): specify the `CryptoKey` containing the key for decryption. `data` (`TypedArray`)	Decrypts the encrypted data using the specified algorithm and key.	RSA-OAEP
`sign`	`algorithm` (object): specify the algorithm for generating a digital signature. The exact object structure depends on the algorithm in use. `key` (object): specify the `CryptoKey` containing the key for signing. If `algorithm` identifies a public-key cryptosystem, the key is private. `data` (`TypedArray`)	Generates a digital signature using the specified algorithm and key.	RSA-PSS
`verify`	`algorithm` (object): specify the algorithm for signature verification. The exact object structure depends on the algorithm in use. `key` (object): specify the `CryptoKey` containing the key to verify the signature. Use a secret key for symmetric algorithms, or a public key for public-key algorithms. `signature` (`TypedArray`) `data` (`TypedArray`)	Verifies a digital signature using the specified algorithm and key.	RSA-PSS
`generateKey`	`algorithm` (object): specify the algorithm that will define the type of key to generate. `extractable` (boolean): enter `true` to allow for exporting the key with `crypto.subtle.exportKey()` or `crypto.subtle.wrapKey()`. `keyUsages` (array of strings): specify the list of possible operations with the key.	Generates a new key (for symmetric algorithms) or key pair (for public-key algorithms).	RSA-PSS, RSA-OAEP
`importKey`	`format` (string): specify the data format of the key to import. Possible values: `pkcs8`, `spki`. `keyData` (`TypedArray`) `algorithm` (object): specify the algorithm defining the type of key to import and provide algorithm-specific parameters. `extractable` (boolean): enter `true` to allow for exporting the key with `crypto.subtle.exportKey()` or `crypto.subtle.wrapKey()`. `keyUsages` (array of strings): specify the list of possible operations with the key.	Imports a key in an external portable format and returns a `CryptoKey` object.	RSA-PSS, RSA-OAEP
`exportKey`	`format` (string): specify a data format to export the key. Possible values: `pkcs8`, `spki`. `key` (object): specify the `CryptoKey` to export.	Exports a `CryptoKey` and returns a key in an external portable format.	RSA-PSS, RSA-OAEP

Example:

             < {%
                 const keyPair = crypto.subtle.generateKey({
                             name: "RSA-PSS",
                             modulusLength: 2048,
                             publicExponent: new Uint8Array([1, 0, 1]),
                             hash: "SHA-256"
                         },
                         true,
                         ["sign", "verify"])
                 const text = "Hello, HTTP Client Pre Script!!!";
                 const data = string2byteArray(text);
                 const signature = crypto.subtle.sign(
                         {
                             name: "RSA-PSS",
                         },
                         keyPair.privateKey,
                         data
                 );
                 const verified = crypto.subtle.verify(
                         {
                             name: "RSA-PSS",
                         },
                         keyPair.publicKey,
                         signature,
                         data);

                 client.log(`${text}, verified: ${verified}`);
             %}

             GET https://example.com/api/path
        

Example: generate JWT

Below is an example of how to create a JSON Web Token (JWT), which consists of three parts: a base64url-encoded header, a base64url-encoded payload (claims), and a cryptographic signature, generated using a SHA-256 algorithm. This token is then saved as a jwt_token pre-request variable and can be used to authenticate a request.

            < {%
                const CLIENT_ID = request.environment.get("client_id"); // get variable from http-client.private.env.json
                const SECRET = request.environment.get("secret"); // get variable from http-client.private.env.json

                function base64UrlEncode(input) {
                    const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
                    let binary = "";
                    for (let i = 0; i < input.length; i++) {
                        binary += input.charCodeAt(i).toString(2).padStart(8, "0");
                    }
                    let base64 = "";
                    for (let i = 0; i < binary.length; i += 6) {
                        const chunk = binary.substring(i, i + 6);
                        const index = parseInt(chunk.padEnd(6, "0"), 2);
                        base64 += chars[index];
                    }
                    return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
                }

                const header = {
                    alg: "HS256",
                    typ: "JWT"
                };
                const payload = {
                    iat: Math.floor(Date.now() / 1000),
                    client_id: CLIENT_ID,
                    iss: CLIENT_ID,
                    user_id: "dev-user",
                    user_representation: "dev user"
                };
                const encodedHeader = base64UrlEncode(JSON.stringify(header));
                const encodedPayload = base64UrlEncode(JSON.stringify(payload));
                const unsignedToken = `${encodedHeader}.${encodedPayload}`;

                const signature = crypto.hmac.sha256()
                    .withTextSecret(SECRET)
                    .updateWithText(unsignedToken)
                    .digest().toBase64(true);

                const token = `${unsignedToken}.${signature}`;
                request.variables.set("jwt_token", token);
            %}

            GET https://example.com/api/path
            Authorization: Bearer {{jwt_token}}
        

04 September 2025