Create an HMAC Token

There are three steps to create the API Access Token which is used to authenticate API requests.

  1. Generate an API Access Key in the dashboard (this section also covers key removal if no longer required).
  2. Create an HMAC token.
  3. Use the API Access Key and HMAC token to generate an API Access token.

Access to the API requires an HMAC (Hash-based Message Authentication Code). HMAC uses a combination of a hash function and secret key to protect the integrity and authentication of the message. As the key and message are hashed in different steps, it provides more secure encryption than other authentication methods.

Passportal does not include an HMAC generator. However, a range of HMAC generators are available online.

Three elements are required to generate an HMAC:

  • The plain text message used to compute the hash. In our example we will use "api-content-hash"
  • A Secret key. Your "Secret access key" generated during the "Access key" creation.
  • The cryptographic hash function (algorithm). We require SHA-256

After entering the above information and clicking on the compute HMAC (or equivalent) button, the hashed secret key is generated and displayed.

For security Passportal does not store the hashed secret key or plain text message used to compute the hash.

After creating the HMAC token the next stage is to create an Access Key Token.