Skip to content

Instantly share code, notes, and snippets.

@marianzange
Created August 20, 2018 13:19
Show Gist options
  • Save marianzange/354edb2f74e88491f6fa520ea8beb2d8 to your computer and use it in GitHub Desktop.
Save marianzange/354edb2f74e88491f6fa520ea8beb2d8 to your computer and use it in GitHub Desktop.
Coinbase Pro HMAC signature generation for Postman
// Computes the HMAC for requests sent to the Coinbase Pro API.
//
// - Add the following code as Postman pre-request script
// - Adapt the getPatch function an the variable names according to your needs
const timestamp = Date.now() / 1000;
function getPath(url) {
// URL path regex works only if your URLs look like this: {{api_url}}/resource
// If you use hardcoded URLs or any other scheme, adapt the regex pattern!
const matches = url.match(/.+?(\/.+?)(?:#|\?|$)/);
return (matches && matches.length > 1) ? matches[1] : '';
}
function computeSignature(request) {
const data = request.data;
const method = request.method;
const path = getPath(request.url);
const body = (method === 'GET' || !data) ? '' : JSON.stringify(data);
const message = timestamp + method + path + body;
const key = CryptoJS.enc.Base64.parse(pm.variables.get('CB-SECRET'));
const hash = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Base64);
return hash;
}
postman.setEnvironmentVariable('hmacSignature', computeSignature(request));
postman.setEnvironmentVariable('hmacTimestamp', timestamp)
@iregina
Copy link

iregina commented Sep 25, 2018

Hi Marianzange, I'm pretty new and receiving this error when I enter this into my pre-script on postman:

"There was an error in evaluating the Pre-request Script: TypeError: Cannot read property 'length' of undefined"

Where do you store CB-SECRET and url?

@AngeloBestetti
Copy link

Does anybody find out where is the CB-SECRET?

@johnsonlawal
Copy link

johnsonlawal commented May 16, 2020

The CB-SECRET is API secret key provided by Coinbase when initially creating your API.
You can set/add the CB-SECRET on postman by adding the below to the above script after declaration on const timestamp
pm.environment.set("CB-SECRET", "yourcbsecrethere");

@lasoares
Copy link

For new verision of Postman (7.x), I made small changes,

You need to use the following code in the end of the script to update the variable header request, because only postman.setEnvironmentVariable doesn't work now.

pm.request.headers.upsert({ key: 'CB-ACCESS-KEY', value: 'somekey' });

Repeat the same for 'CB-ACCESS-PASSPHRASE', 'CB-ACCESS-SIGN' and 'CB-ACCESS-TIMESTAMP'

Also the timestamp should be: const timestamp = Math.ceil(Date.now() / 1000);

And the pm.environment.set("CB-SECRET", "secret"); must be right after the timestamp declaration.

@jakeashcraft
Copy link

@lasoares do you have a complete example showing your changes?

@jakeashcraft
Copy link

I tried the following but doesn't seem to work. Just get an Invalid API Key response. Although, I have double checked my key, passphrase, and secret. Any thoughts?

{
    "message": "Invalid API Key"
}
// Computes the HMAC for requests sent to the Coinbase Pro API.
//
// - Add the following code as Postman pre-request script
// - Adapt the getPatch function an the variable names according to your needs

const timestamp = Math.ceil(Date.now() / 1000);
const secret = pm.variables.get('CB-SECRET');

function getPath(url) {
    // URL path regex works only if your URLs look like this: {{api_url}}/resource
    // If you use hardcoded URLs or any other scheme, adapt the regex pattern!
    const matches = url.match(/.+?(\/.+?)(?:#|\?|$)/);
    return (matches && matches.length > 1) ? matches[1] : ''; 
}
 
function computeSignature(request) {
    const data      = request.data;
    const method    = request.method;
    const path      = getPath(request.url);
    const body      = (method === 'GET' || !data) ? '' : JSON.stringify(data);
    const message   = timestamp + method + path + body;
    const key       = CryptoJS.enc.Base64.parse(secret);
    const hash      = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Base64);

    return hash;
}

var sign = computeSignature(request);

// Not sure if this still needs to be here?
postman.setEnvironmentVariable('hmacSignature', sign);
postman.setEnvironmentVariable('hmacTimestamp', timestamp);

pm.request.headers.upsert({ key: 'CB-ACCESS-KEY', value: pm.variables.get('CB-ACCESS-KEY')});
pm.request.headers.upsert({ key: 'CB-ACCESS-SIGN', value: sign });
pm.request.headers.upsert({ key: 'CB-ACCESS-TIMESTAMP', value: timestamp });
pm.request.headers.upsert({ key: 'CB-ACCESS-PASSPHRASE', value: pm.variables.get('CB-ACCESS-PASSPHRASE') });

@lasoares
Copy link

lasoares commented Dec 24, 2020

Hi @jakeashcraft,

The code example below is fully working, I tested myself couple of hours ago, just replace the api-key, passphrase and secret accordingly.

// Computes the HMAC for requests sent to the Coinbase Pro API.
//
// - Add the following code as Postman pre-request script
// - Adapt the getPatch function an the variable names according to your needs

const timestamp = Math.ceil(Date.now() / 1000);

pm.environment.set("CB-SECRET", "secret");

function getPath(url) {
    // URL path regex works only if your URLs look like this: {{api_url}}/resource
    // If you use hardcoded URLs or any other scheme, adapt the regex pattern!
    const matches = url.match(/.+?(\/.+?)(?:#|\?|$)/);
    return (matches && matches.length > 1) ? matches[1] : ''; 
}
 
function computeSignature(request) {
    const data      = request.data;
    const method    = request.method;
    const path      = getPath(request.url);
    const body      = (method === 'GET' || !data) ? '' : JSON.stringify(data);
    const message   = timestamp + method + path + body;
    const key       = CryptoJS.enc.Base64.parse(pm.variables.get('CB-SECRET'));
    const hash      = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Base64);

    return hash;
}

pm.environment.set("CB-ACCESS-KEY", "api-key"); 
pm.environment.set('CB-ACCESS-PASSPHRASE', "passphrase")
pm.environment.set('CB-ACCESS-SIGN', computeSignature(request));
pm.environment.set('CB-ACCESS-TIMESTAMP', timestamp)

// Add or update an existing header
pm.request.headers.upsert({
    key: 'CB-ACCESS-KEY',
    value: 'api-key'
});

pm.request.headers.upsert({
    key: 'CB-ACCESS-PASSPHRASE',
    value: 'passphrase'
});

pm.request.headers.upsert({
    key: 'CB-ACCESS-SIGN',
    value: computeSignature(request)
});

pm.request.headers.upsert({
    key: 'CB-ACCESS-TIMESTAMP',
    value: timestamp
});

@Sharabaddin
Copy link

Sharabaddin commented Jan 11, 2021

Hi @lasoares can u show environment and collection?(hide secret key ofc) Can use this for non pro api?

@lasoares
Copy link

Hi @lasoares can u show environment and collection?(hide secret key ofc) Can use this for non pro api?

Yes, you can use also for sandbox environment: https://api-public.sandbox.pro.coinbase.com
Below is my environment collection.

item": [
{
	"name": "Get an Order",
	"event": [
		{
			"listen": "prerequest",
			"script": {
				"exec": [
					"\r",
					"// Computes the HMAC for requests sent to the Coinbase Pro API.\r",
					"//\r",
					"// - Add the following code as Postman pre-request script\r",
					"// - Adapt the getPatch function an the variable names according to your needs\r",
					"\r",
					"const timestamp = Math.ceil(Date.now() / 1000);\r",
					"\r",
					"pm.environment.set(\"CB-SECRET\", \"hide\");\r",
					"\r",
					"function getPath(url) {\r",
					"    // URL path regex works only if your URLs look like this: {{api_url}}/resource\r",
					"    // If you use hardcoded URLs or any other scheme, adapt the regex pattern!\r",
					"    const matches = url.match(/.+?(\\/.+?)(?:#|\\?|$)/);\r",
					"    return (matches && matches.length > 1) ? matches[1] : ''; \r",
					"}\r",
					" \r",
					"function computeSignature(request) {\r",
					"    const data      = request.data;\r",
					"    const method    = request.method;\r",
					"    const path      = getPath(request.url);\r",
					"    const body      = (method === 'GET' || !data) ? '' : JSON.stringify(data);\r",
					"    const message   = timestamp + method + path + body;\r",
					"    const key       = CryptoJS.enc.Base64.parse(pm.variables.get('CB-SECRET'));\r",
					"    const hash      = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Base64);\r",
					"\r",
					"    return hash;\r",
					"}\r",
					"\r",
					"pm.environment.set(\"CB-ACCESS-KEY\", \"hide\"); \r",
					"pm.environment.set('CB-ACCESS-PASSPHRASE', \"hide\")\r",
					"pm.environment.set('CB-ACCESS-SIGN', computeSignature(request));\r",
					"pm.environment.set('CB-ACCESS-TIMESTAMP', timestamp)\r",
					"\r",
					"// Add or update an existing header\r",
					"pm.request.headers.upsert({\r",
					"    key: 'CB-ACCESS-KEY',\r",
					"    value: 'hide'\r",
					"});\r",
					"\r",
					"pm.request.headers.upsert({\r",
					"    key: 'CB-ACCESS-PASSPHRASE',\r",
					"    value: 'hide'\r",
					"});\r",
					"\r",
					"pm.request.headers.upsert({\r",
					"    key: 'CB-ACCESS-SIGN',\r",
					"    value: computeSignature(request)\r",
					"});\r",
					"\r",
					"pm.request.headers.upsert({\r",
					"    key: 'CB-ACCESS-TIMESTAMP',\r",
					"    value: timestamp\r",
					"});"
				],
				"type": "text/javascript"
			}
		}
	],
	"request": {
		"method": "GET",
		"header": [
			{
				"key": "Content-Type",
				"value": "application/json",
				"type": "text"
			}
		],
		"url": {
			"raw": "{{api_url_sandbox}}/accounts",
			"host": [
				"{{api_url_sandbox}}"
			],
			"path": [
				"accounts"
			]
		}
	},
	"response": []
}]
	"variable": [
		{
			"key": "api_url",
			"value": "https://api.pro.coinbase.com"
		},
		{
			"key": "api_url_sandbox",
			"value": "https://api-public.sandbox.pro.coinbase.com"
		}
	]

@ronnyandre
Copy link

Why are you setting CB-ACCESS-PASSPHRASE? I can't see that this is mentioned in their API documentation?

@lasoares
Copy link

Why are you setting CB-ACCESS-PASSPHRASE? I can't see that this is mentioned in their API documentation?

image

@ronnyandre
Copy link

Interesting. I was reading the non-Pro documentation of Coinbase API. Thanks for informing me!

@amgreen2
Copy link

Having issues with "invalid signature".
done a bunch of research elsewhere and i'm coming up empty handed.
I've removed the headers one at a time and gotten the error message for the header i removed, so i'm sure it's none of the other headers.
Maybe the URL is wrong format? attaching a screenshot
image

@marianzange
Copy link
Author

@amgreen2 Try setting the API endpoint as a Postman variable such as {{api_url}} or adapt the regex to your needs. The regex in the code snippet is a bit crappy.

@maheshmobile
Copy link

I am also getting same issue that what amgreen2 is facing.
"Invalid signature"

@zkmusa
Copy link

zkmusa commented Apr 25, 2021

I was having the same "Invalid API Key" error, but I had overlooked a couple things while struggling to fix the problem. Everything is now working, and here were the troubleshooting steps that I did:

  1. Add a collection variable: click on the "..." next to your collection in the left sidebar --> variables. Add api_url as variable and "https://api.pro.coinbase.com" as initial value.
  2. Change your request URL to be: {{api_url}}/accounts (or whatever API endpoint you're targeting).
  3. Make sure your CB-ACCESS-KEY is copied into both the "pm.environment" and "pm.request.headers.upsert" lines. I had overlooked updating pm.request.headers.upsert.
  4. Make sure your CB-ACCESS-PASSPHRASE is copied into both the "pm.environment" and "pm.request.headers.upsert" lines.

Everything should work fine after this. Thanks to everyone in this thread for your help!

Copy link

ghost commented Apr 26, 2021

Here's how I got it working for the non-pro API.

CB-SECRET is set as an environment variable, the rest I've just put directly in my request.

  • Uses Math.floor instead of ceil simply because that's the example given by Coinbase
  • Passes the HMAC the secret as a string rather than base64 parsing it
  • Wants a hex digest rather than base64
  • No need for regex for the path, postman provides an array: pm.request.url.path (needs joining with /)
const timestamp = Math.floor(Date.now() / 1000);
console.log(timestamp);
 
function computeSignature(request) {
    const data      = request.data;
    const method    = request.method;
    const path      = "/" + pm.request.url.path.join("/");
    const body      = (method === 'GET' || !data) ? '' : JSON.stringify(data);
    const message   = timestamp + method + path + body;
    const key       = pm.variables.get('CB-SECRET');
    const hash      = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Hex);
    console.log("Message: " + message + " HMAC: " + hash);

    return hash;
}

pm.environment.set('CB-ACCESS-SIGN', computeSignature(request));
pm.environment.set('CB-ACCESS-TIMESTAMP', timestamp);

image

@wnz99
Copy link

wnz99 commented Sep 29, 2022

This works for me. I had to change this line:

const body      = (method === 'GET' || !data) ? '' : JSON.stringify(data);

to

const body      = (method === 'GET' || !data) ? '' : data;

Script:

const timestamp = Date.now() / 1000;

pm.environment.set("CB-SECRET", "your-secret");
 
function computeSignature(request) {
    const data      = request.data;
    const method    = request.method;
    const path      = "/" + pm.request.url.path.join("/");
    const body      = (method === 'GET' || !data) ? '' : data;
    const message   = timestamp + method + path + body;
    const key       = CryptoJS.enc.Base64.parse(pm.variables.get('CB-SECRET'));
    const hash      = CryptoJS.HmacSHA256(message, key).toString(CryptoJS.enc.Base64);

    return hash;
}

pm.environment.set('CB-ACCESS-SIGN', computeSignature(request));
pm.environment.set('CB-ACCESS-TIMESTAMP', timestamp);

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment