Skip to content

Instantly share code, notes, and snippets.

What would you like to do?
This gist is deprecated. Please use the pre-request script found at
var url = require('url');
const authorizationScheme = 'VERACODE-HMAC-SHA-256';
const requestVersion = "vcode_request_version_1";
const nonceSize = 16;
function computeHashHex(message, key_hex) {
return CryptoJS.HmacSHA256(message, CryptoJS.enc.Hex.parse(key_hex)).toString(CryptoJS.enc.Hex);
function calculateDataSignature(key, nonceBytes, dateStamp, data) {
let kNonce = computeHashHex(nonceBytes, key);
let kDate = computeHashHex(dateStamp, kNonce);
let kSig = computeHashHex(requestVersion, kDate);
let kFinal = computeHashHex(data, kSig);
return kFinal;
function newNonce() {
return CryptoJS.lib.WordArray.random(nonceSize).toString().toUpperCase();
function toHexBinary(input) {
return CryptoJS.enc.Hex.stringify(CryptoJS.enc.Utf8.parse(input));
function calculateVeracodeAuthHeader(httpMethod, requestUrl) {
let parsedUrl = url.parse(requestUrl);
let data = `id=${id}&host=${parsedUrl.hostname}&url=${parsedUrl.path}&method=${httpMethod}`;
let dateStamp =;
let nonceBytes = newNonce(nonceSize);
let dataSignature = calculateDataSignature(key, nonceBytes, dateStamp, data);
let authorizationParam = `id=${id},ts=${dateStamp},nonce=${toHexBinary(nonceBytes)},sig=${dataSignature}`;
let header = authorizationScheme + " " + authorizationParam;
return header;
var {Property} = require('postman-collection');
const substitutedUrl = Property.replaceSubstitutions(request.url, pm.variables.toObject());
postman.setEnvironmentVariable('hmacAuthHeader', calculateVeracodeAuthHeader(request.method, substitutedUrl));
Copy link

tjarrettveracode commented Oct 28, 2020

To use this script, you need to add an additional header called Authorization to your request and set its value to {{hmacAuthHeader}}. This will substitute in the environment variable that is created at the last step of this script, containing the HMAC authorization.

Copy link

tjarrettveracode commented May 3, 2022

This gist is deprecated. Please use the pre-request script found at

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment