Skip to content

Instantly share code, notes, and snippets.

Last active January 26, 2023 02:13
What would you like to do?
Postman pre-request to add Veracode HMAC header
var url = require('url');
var { Property } = require('postman-collection');
const id = pm.variables.get('veracodeApiKeyId');
const key = pm.variables.get('veracodeApiKeySecret');
const authorizationScheme = 'VERACODE-HMAC-SHA-256';
const requestVersion = "vcode_request_version_1";
const nonceSize = 16;
function computeHashHex(message, key_hex) {
return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex);
function calulateDataSignature(key, nonceBytes, dateStamp, data) {
let kNonce = computeHashHex(nonceBytes, key);
let kDate = computeHashHex(dateStamp, kNonce);
let kSig = computeHashHex(requestVersion, kDate);
let kFinal = computeHashHex(data, kSig);
return kFinal;
function newNonce() {
return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase();
function toHexBinary(input) {
return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input));
function calculateVeracodeAuthHeader(httpMethod, requestUrl) {
let urlExpanded = Property.replaceSubstitutions(requestUrl, pm.variables.toObject());
let parsedUrl = url.parse(urlExpanded);
let data = `id=${id}&host=${parsedUrl.hostname}&url=${parsedUrl.path}&method=${httpMethod}`;
let dateStamp =;
let nonceBytes = newNonce(nonceSize);
let dataSignature = calulateDataSignature(key, nonceBytes, dateStamp, data);
let authorizationParam = `id=${id},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`;
let header = authorizationScheme + " " + authorizationParam;
return header;
key: 'Authorization',
value: calculateVeracodeAuthHeader(request['method'], request['url'])
Copy link

markdowd commented Mar 4, 2022

@ravikumarkd I'm an end user, but it sounds like you've answered your own question.

Copy link

Hi @ravikumarkd , there shouldn't be a geographic component to Veracode API services. However, your report makes me wonder if there is something wrong with the API credentials you're using. Are you able to connect to our APIs using those credentials in other ways, e.g. through Veracode integrations or using httpie with the --veracode_hmac authentication method?

If you aren't able to come to resolution on this it may be worth contacting Veracode support to see if they can help you further.

Copy link

SMughal2020 commented Mar 15, 2022

Hi @ravikumarkd. The error tells you that the values have not been successfully retrieved in the script. Try temporarily replacing the pm.variables.get statements with literals to confirm this.

Any fix for this yet? Removing pm.variables.get gives a 401 error. As with id and key added, the error I receive is TypeError: Cannot read property 'length' of undefined.

Copy link

@Fleurpot82 Not sure if you've fixed this yet. You need to specify the two variable values so they can be retrieved in lines 4&5:

  • veracodeApiKeyId
  • veracodeApiKeySecret

If they are zero length it complains when tryoing to validate them.

Thanks @markdowd, taken me a while to get back to this, I had the variables added, as below it worked fine when a pasted the values directly in. Deleted the variables in my project and re added and it works a treat. No idea what was wrong before as I'd created multiple collections in attempting it earlier!

Copy link

Please note that we've published an official project and how-to for using Veracode HMAC in Postman here:

Contributions are welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment