> ## Documentation Index
> Fetch the complete documentation index at: https://docs.chip-in.asia/llms.txt
> Use this file to discover all available pages before exploring further.

# Pre-Request Script

> How to wire the auth headers in Postman.

## Using the pre-request script

In Postman, the following code is pasted into the **Pre-request Script** tab of the collection. Postman runs this script before every request, so the `epoch` and `checksum` headers are always fresh.

```javascript theme={null}
var epoch = Math.floor(Date.now() / 1000).toString();
pm.collectionVariables.set("epoch", epoch);

var apiKey = pm.collectionVariables.get("api_key");
var apiSecret = pm.collectionVariables.get("api_secret");
var signingString = epoch + apiKey;
var checksum = CryptoJS.enc.Hex.stringify(
  CryptoJS.HmacSHA512(signingString, apiSecret)
);
pm.collectionVariables.set("checksum", checksum);
```

On the **Authorization** tab of the collection, **Type** is set to **Bearer Token** and the API Key is provided as the token. Postman adds the `Authorization: Bearer <API Key>` header automatically.

On each request, two headers are added that read from the variables:

| Header     | Value          |
| ---------- | -------------- |
| `epoch`    | `{{epoch}}`    |
| `checksum` | `{{checksum}}` |

> **Why is a pre-request script needed?** The signature is computed with HMAC-SHA512, which Postman cannot express declaratively. The pre-request script is the standard place to perform per-request crypto.

## FAQ

**Where are the API Key and API Secret obtained?**
Both values are available in the [CHIP Control → Settings → Applications](https://portal.chip-in.asia/control/settings/applications) page of the merchant portal. The same page can also be used to generate new credentials or revoke existing ones.

**Why does a request fail even though the script ran?**
The most common cause is reuse of a previously computed checksum. The script must run on every request (the default behaviour). If **Run pre-request script before each request** has been disabled in the collection settings, it should be re-enabled.