HTTP Client crypto API reference
The crypto object provides access to HTTP Client Crypto API, which lets you use cryptographic hash functions and HMAC to generate HTTP signatures. You can then use these signatures as variables in pre-request scripts to sign your HTTP requests.
The crypto accepts a method that can be either one of the hash functions (sha1, sha256, sha512, md5), or hmac.
Hash methods
Method | Parameters | Description |
|---|
updateWithText
| textInput (string)
encoding (string): the encoding of textInput. Default is UTF8.
| Updates a string to be transformed to a hash. |
updateWithHex
| hexInput (string)
| Updates a hexadecimal string to be transformed to a hash. |
updateWithBase64
| base64Input (string)
urlSafe (boolean): enter true if the string is encoded using the URL-safe variant of Base64.
| Updates a Base64 string to be transformed to a hash. |
digest().toHex()
| — | Generates a hash and convert it to the hexadecimal format. |
digest().toBase64()
| urlSafe (boolean): enter true if you want to use the URL-safe variant of Base64
| Generates a hash and convert it to the Base64 format. |
HMAC methods
The crypto.hmac object enables you to use HMAC to sign HTTP requests. It has access to all hash methods to generate hashes but also has methods to get the secret part of the token.
Method | Parameters | Description |
|---|
withTextSecret
| textSecret (string)
encoding (string): the encoding of textSecret. Default is UTF8.
| Puts the secret key to be used in HMAC. |
withHexSecret
| hexSecret (string)
| Puts the secret key in the hexadecimal format. |
withBase64Secret
| base64Input (string)
urlSafe (boolean): enter true if the string is encoded using the URL-safe variant of Base64.
| Puts the secret key in the Base64 format. |
Example:
< {%
const signature = crypto.hmac.sha256()
.withTextSecret(request.environment.get("secret")) // get variable from http-client.private.env.json
.updateWithText(request.body.tryGetSubstituted())
.digest().toHex();
request.variables.set("signature", signature)
const hash = crypto.sha256()
.updateWithText(request.body.tryGetSubstituted())
.digest().toHex();
request.variables.set("hash", hash)
%}
POST https://httpbin.org/post
X-My-Signature: {{signature}}
X-My-Hash: {{hash}}
Content-Type: application/json
{
"prop": "value"
}
Example: generate JWT
Below is an example of how to create a JSON Web Token (JWT), which consists of three parts: a base64url-encoded header, a base64url-encoded payload (claims), and a cryptographic signature, generated using a SHA-256 algorithm. This token is then saved as a jwt_token pre-request variable and can be used to authenticate a request.
< {%
const CLIENT_ID = request.environment.get("client_id"); // get variable from http-client.private.env.json
const SECRET = request.environment.get("secret"); // get variable from http-client.private.env.json
function base64UrlEncode(input) {
const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/";
let binary = "";
for (let i = 0; i < input.length; i++) {
binary += input.charCodeAt(i).toString(2).padStart(8, "0");
}
let base64 = "";
for (let i = 0; i < binary.length; i += 6) {
const chunk = binary.substring(i, i + 6);
const index = parseInt(chunk.padEnd(6, "0"), 2);
base64 += chars[index];
}
return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_");
}
const header = {
alg: "HS256",
typ: "JWT"
};
const payload = {
iat: Math.floor(Date.now() / 1000),
client_id: CLIENT_ID,
iss: CLIENT_ID,
user_id: "dev-user",
user_representation: "dev user"
};
const encodedHeader = base64UrlEncode(JSON.stringify(header));
const encodedPayload = base64UrlEncode(JSON.stringify(payload));
const unsignedToken = `${encodedHeader}.${encodedPayload}`;
const signature = crypto.hmac.sha256()
.withTextSecret(SECRET)
.updateWithText(unsignedToken)
.digest().toBase64(true);
const token = `${unsignedToken}.${signature}`;
request.variables.set("jwt_token", token);
%}
GET https://example.com/api/path
Authorization: Bearer {{jwt_token}}
Last modified: 23 April 2025