Skip to content

Instantly share code, notes, and snippets.

Last active January 26, 2023 02:13
What would you like to do?
Postman pre-request to add Veracode HMAC header
var url = require('url');
var { Property } = require('postman-collection');
const id = pm.variables.get('veracodeApiKeyId');
const key = pm.variables.get('veracodeApiKeySecret');
const authorizationScheme = 'VERACODE-HMAC-SHA-256';
const requestVersion = "vcode_request_version_1";
const nonceSize = 16;
function computeHashHex(message, key_hex) {
return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex);
function calulateDataSignature(key, nonceBytes, dateStamp, data) {
let kNonce = computeHashHex(nonceBytes, key);
let kDate = computeHashHex(dateStamp, kNonce);
let kSig = computeHashHex(requestVersion, kDate);
let kFinal = computeHashHex(data, kSig);
return kFinal;
function newNonce() {
return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase();
function toHexBinary(input) {
return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input));
function calculateVeracodeAuthHeader(httpMethod, requestUrl) {
let urlExpanded = Property.replaceSubstitutions(requestUrl, pm.variables.toObject());
let parsedUrl = url.parse(urlExpanded);
let data = `id=${id}&host=${parsedUrl.hostname}&url=${parsedUrl.path}&method=${httpMethod}`;
let dateStamp =;
let nonceBytes = newNonce(nonceSize);
let dataSignature = calulateDataSignature(key, nonceBytes, dateStamp, data);
let authorizationParam = `id=${id},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`;
let header = authorizationScheme + " " + authorizationParam;
return header;
key: 'Authorization',
value: calculateVeracodeAuthHeader(request['method'], request['url'])
Copy link

Please note that we've published an official project and how-to for using Veracode HMAC in Postman here:

Contributions are welcome!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment