Based on the Template tag for hashing and also the HMAC template tag plugin published to NPM.
For the nice rest client Insomnia.
Install by going to the plugins tab in Insomnia and search for insomia-plugin-request-body-hmac
or go to https://insomnia.rest/plugins/insomnia-plugin-request-body-hmac and click the Install Plugin button.
Main feature is being able to generate HMAC signatures using a key and a message and placing this into the request with the possibility of using the request body or parts of it as the message.
The signature can be inserted into any place where Insomnia accepts template tags like the url, request parameters, headers, and request body itself. Inserting it into the request body should only be used when selecting a different portion of the request body using a JSONPath since the result otherwise probably will not be what you expect due to the recursion.
Has an option of removing whitespace from a JSON request body before calculating the signature.
Allows you to create multiple different HMAC signatures with different options in the same request, previous versions only supported a single HMAC generated for each request.
Add the tag by pushing Ctrl + Space
and search for Request body HMAC
, you will see several variants for the different hash functions used. You can change the hash function used later as well.
Clicking the tag allows you to change the settings for the tag. It is for instance in here you will enter the key used. The Live Preview at the bottom contains a temporary value that will be replaced later unless you input a message in the field above it. The hex string in paranthesis, if you wonder why that is there, contains the settings that will be used to create the signature.
jsonpath-plus is used to navigate the request content to select the message to use instead of the complete body if needed. Please look at the linked project for more details about the syntax, but basically you can use $
to indicate the root object and then navigate down through objects separating each field by dots.
However, most uses will probably put these signatures in headers.
Any uses in the body will be generated first so this could be used to do multiple levels of signatures for those special APIs you might encounter. But multiple signatures wrapping eachother in the body will break unless you are very lucky.