Skip to main content
Skip table of contents

Configuring an HMAC policy

The HMAC functionality can be achieved by using the policies HMAC Code policy and Verify HMAC policy in conjunction, which ensures that encryption is done through HMAC.

This section illustrates how to use and test an HMAC policy using the Debug option.

Configuring the policies

  1. Open a project and add the policies referring to the sections - HMAC Code and Verify HMAC Code

  2. Use the values provided in the Example content of the above sections.

Remember to click the Save button after adding values in the above policies.

Deploying the project

Click the Deploy icon to deploy the project selecting the respecting environment on which it has to be deployed.

image-20250401-090330.png

The project may be deployed from the API Projects home page as well.

image-20250401-090435.png

Configuring Rule in Resources

  1. Go to the Resources section.

  2. Click the statement under the Update Rule section, and click the Edit button.

    image-20250401-090828.png

  3. Select the value as “POST“ and click Update.

    image-20250401-090936.png

  4. Click the Save button.

    image-20250401-091134.png

Testing the policy configurations

Setting Project Level policies

  1. Go to Policies > Project policy scope tab.

  2. Click the Policies button.

  3. Drag and drop the Generate HMAC policy to the Proxy Request pane.

    image-20250401-093553.png

  4. Select the added policy, click the More action icon and select the server group.

    image-20250401-093839.png

  5. Similarly, add Verify HMAC policy under the Target Request tab.

  6. Click the Save button.

Debugging the policy

  1. Open the Debugger tab.

  2. Select the environment under which the policies are configured, and click the Debug button.

  3. Select the resource from the Select a resource to debug drop-down.

  4. Add a breakpoint after the point where the Verify HMAC policy set.

    image-20250401-094430.png

  5. Go to Request > Body tabs below and provide the content in the body.

  6. Click the Send new message button.

    image-20250401-094529.png

    The message reaches the target.

Validating the response

To validate that the message is encrypted and it is sent successfully,

  1. Expand the Request section and open the Context Variable tab.

  2. Check the following attributes:

    1. target.request.header.code: represents the encrypted message.

    2. proxy.response.authorization.status: “true“ indicates that the verification of the HMAC code is successful.

Refer to the bottom part of the image above where the two attributes above are highlighted.

The Message Flow explained

  1. The client sends the request.

  2. The Generate HMAC Code encrypts the payload in the request using a "secret key" and an algorithm.

  3. The encrypted message gets transmitted further through the flow.

  4. Before reaching the server, the encrypted message has to be verified using the Verify HMAC policy. The "secret key" which is passed in the message / set in policy will be used to recompute the HMAC code.

  5. The recomputed HMAC gets verified with the HMAC code set for verification of the message.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close