Skip to main content

Using the pre-request script

In Postman, the following code is pasted into the Pre-request Script tab of the collection. Postman runs this script before every request, so the epoch and checksum headers are always fresh. 
var epoch = Math.floor(Date.now() / 1000).toString();
pm.collectionVariables.set("epoch", epoch);

var apiKey = pm.collectionVariables.get("api_key");
var apiSecret = pm.collectionVariables.get("api_secret");
var signingString = epoch + apiKey;
var checksum = CryptoJS.enc.Hex.stringify(
  CryptoJS.HmacSHA512(signingString, apiSecret)
);
pm.collectionVariables.set("checksum", checksum);
On the Authorization tab of the collection, Type is set to Bearer Token and the API Key is provided as the token. Postman adds the Authorization: Bearer <API Key> header automatically. On each request, two headers are added that read from the variables:
HeaderValue
epoch{{epoch}}
checksum{{checksum}}
Why is a pre-request script needed? The signature is computed with HMAC-SHA512, which Postman cannot express declaratively. The pre-request script is the standard place to perform per-request crypto.

FAQ

Where are the API Key and API Secret obtained? Both values are available in the CHIP Control → Settings → Applications page of the merchant portal. The same page can also be used to generate new credentials or revoke existing ones. Why does a request fail even though the script ran? The most common cause is reuse of a previously computed checksum. The script must run on every request (the default behaviour). If Run pre-request script before each request has been disabled in the collection settings, it should be re-enabled.