Skip to main content
Skip table of contents

Configuring an HMAC policy

The HMAC functionality can be achieved by using the policies HMAC Code policy and Verify HMAC policy in conjunction, which ensures that encryption is done through HMAC.

This section illustrates how to use and test an HMAC policy using the Debug option.

Configuring the policies

  1. Open a project and add the policies referring to the sections - HMAC Code and Verify HMAC Code

  2. Use the values provided in the Example content of the above sections.

Remember to click the Save button after adding values in the above policies.

Deploying the project

Click the Deploy icon to deploy the project selecting the respecting environment on which it has to be deployed.

image-20240207-080945.png

The project may be deployed from the API Projects home page as well.

image-20240207-081110.png

Configuring Rule in Resources

  1. Go to the Resources tab.

  2. Select the resource and expand the Resource Configuration section.

  3. Click the statement under the Update Rule section, and click the Edit Statement button.

  4. Select the value as “POST“.

image-20240207-082345.png

Testing the policy configurations

Setting Project Level policies

  1. Open the Project level policies tab.

  2. In the Proxy Request tab, click the Edit button.

  3. Select the HMAC Code policy.

    image-20240207-093010.png

    The policy gets added in the Proxy Request tab.

    image-20240207-093308.png

  4. Similarly, add Verify HMAC policy under the Target Request tab.

  5. Click the Save button.

Debugging the policy

  1. Open the Debugger tab.

  2. Select the environment under which the policies are configured, and click the Debug button.

  3. Select the resource from the Select a resource to debug drop-down.

  4. Add a breakpoint after the point where the Verify HMAC policy set.

  5. Expand the Request section and provide the content in the body.

  6. Click the Send new message button; the message reaches the target.

image-20240208-071345.png

Validating the response

To validate that the message is encrypted and it is sent successfully,

  1. Expand the Request section and open the Context Variable tab.

  2. Check the following attributes:

    1. target.request.header.code: represents the encrypted message.

    2. proxy.response.authorization.status: “true“ indicates that the verification of the HMAC code is successful.

Refer to the bottom part of the image above where the two attributes above are highlighted.

The Message Flow explained

  1. The client sends the request.

  2. The Generate HMAC Code encrypts the payload in the request using a "secret key" and an algorithm.

  3. The encrypted message gets transmitted further through the flow.

  4. Before reaching the server, the encrypted message has to be verified using the Verify HMAC policy. The "secret key" which is passed in the message / set in policy will be used to recompute the HMAC code.

  5. The recomputed HMAC gets verified with the HMAC code set for verification of the message.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close