JWT Authentication in Postman

If you are using Postman, to interact with our API, you can use the following script for authenticating towards the API using JWT.

var removeIllegalCharacters = function(input) {
    return input
        .replace(/=/g, '')
        .replace(/\+/g, '-')
        .replace(/\//g, '_');

var base64object = function(input) {
    var inputWords = CryptoJS.enc.Utf8.parse(JSON.stringify(input));
    var base64 = CryptoJS.enc.Base64.stringify(inputWords);
    var output = removeIllegalCharacters(base64);
    return output;

var url = request.url;
var slashIndex = url.toLowerCase().startsWith('http') ? 8 : 0;
var path = url.substring(url.indexOf('/', slashIndex), url.length);

var exp = Date.now() / 1000 | 0;
var iss = '<your email address goes here>';
var mth = request.method;
var sub = path;
var header = { 'alg': 'HS256', 'typ': 'JWT' };
var payload = { 'exp': exp, 'iss': iss, 'mth': mth, 'sub': sub };

var unsignedToken = base64object(header) + "." + base64object(payload);

var signatureHash = CryptoJS.HmacSHA256(unsignedToken, '<your secret goes here>');
var signature = CryptoJS.enc.Base64.stringify(signatureHash);
var token = unsignedToken + '.' + signature;

postman.setGlobalVariable('authToken', removeIllegalCharacters(token));

Add the script in the Pre-request Script section for your request.

Remember to replace the place-holder values:

  • <your email address goes here>: The e-mail address we have on file for you,
  • <your secret goes here>: The shared secret you have been supplied from us, when given access to services requiring JWT authentication.

To actually send the generated token, you should then add the following HTTP header to your request.

Authorization: JWT {{authToken}}

If you are implementing JWT outside of Postman, we recommend taking a look at the many great libraries available to make working with JWT much easier.