The crypto object provides access to the HTTP Client Crypto API, which lets you use cryptographic hash functions, RSA, and HMAC to generate HTTP signatures. You can then use these signatures as variables in pre-request scripts to sign your HTTP requests.
The crypto accepts a method that can be either one of the hash functions (sha1, sha256, sha512, md5), HMAC, or RSA.
Method
Parameters
Description
updateWithText
textInput (string)
encoding (string): the encoding of textInput. Default is UTF8.
Updates a string to be transformed to a hash.
updateWithHex
hexInput (string)
Updates a hexadecimal string to be transformed to a hash.
updateWithBase64
base64Input (string)
urlSafe (boolean): enter true if the string is encoded using the URL-safe variant of Base64.
Updates a Base64 string to be transformed to a hash.
digest().toHex()
â
Generates a hash and convert it to the hexadecimal format.
digest().toBase64()
urlSafe (boolean): enter true if you want to use the URL-safe variant of Base64
Generates a hash and convert it to the Base64 format.
HMAC methodsThe crypto.hmac object enables you to use HMAC to sign HTTP requests. It has access to all hash methods to generate hashes but also has methods to get the secret part of the token.
Method
Parameters
Description
withTextSecret
textSecret (string)
encoding (string): the encoding of textSecret. Default is UTF8.
Puts the secret key to be used in HMAC.
withHexSecret
hexSecret (string)
Puts the secret key in the hexadecimal format.
withBase64Secret
base64Input (string)
urlSafe (boolean): enter true if the string is encoded using the URL-safe variant of Base64.
Puts the secret key in the Base64 format.
Example:
< {% const signature = crypto.hmac.sha256() .withTextSecret(request.environment.get("secret")) // get variable from http-client.private.env.json .updateWithText(request.body.tryGetSubstituted()) .digest().toHex(); request.variables.set("signature", signature) const hash = crypto.sha256() .updateWithText(request.body.tryGetSubstituted()) .digest().toHex(); request.variables.set("hash", hash) %} POST https://httpbin.org/post X-My-Signature: {{signature}} X-My-Hash: {{hash}} Content-Type: application/json { "prop": "value" }
RSA methodsThe crypto.subtle object enables you to use RSA cryptography in pre-request scripts. The HTTP Client supports the Web Crypto API, which provides standard cryptographic functions such as key generation, encryption, decryption, digital signing, signature verification, and more.
Method
Parameters
Description
encrypt
algorithm (object): specify the encryption algorithm and its parameters. The exact object structure depends on the algorithm in use.
key (object): specify the CryptoKey containing the key for encryption.
data (ArrayBuffer, TypedArray, or DataView)
Encrypts the provided data using the specified algorithm and key.
decrypt
algorithm (object): specify the decryption algorithm and its parameters. The exact object structure depends on the algorithm in use.
key (object): specify the CryptoKey containing the key for decryption.
data (ArrayBuffer, TypedArray, or DataView)
Decrypts the encrypted data using the specified algorithm and key.
sign
algorithm (object): specify the algorithm for generating a digital signature. The exact object structure depends on the algorithm in use.
key (object): specify the CryptoKey containing the key for signing. If algorithm identifies a public-key cryptosystem, the key is private.
data (ArrayBuffer, TypedArray, or DataView)
Generates a digital signature using the specified algorithm and key.
verify
algorithm (object): specify the algorithm for signature verification. The exact object structure depends on the algorithm in use.
key (object): specify the CryptoKey containing the key to verify the signature. Use a secret key for symmetric algorithms, or a public key for public-key algorithms.
signature (ArrayBuffer)
data (ArrayBuffer)
Verifies a digital signature using the specified algorithm and key.
digest
algorithm (object or string): specify the algorithm or hash function to use.
data (ArrayBuffer, TypedArray, or DataView)
Generates a fixed-sized summary of your data using a specified hash function (for example, SHA-256).
generateKey
algorithm (object): specify the algorithm that will define the type of key to generate.
extractable (boolean): enter true to allow for exporting the key with crypto.subtle.exportKey() or crypto.subtle.wrapKey().
keyUsages (array of strings): specify the list of possible operations with the key.
Generates a new key (for symmetric algorithms) or key pair (for public-key algorithms).
deriveKey
algorithm (object): specify the derivation algorithm and its parameters. The exact object structure depends on the algorithm in use.
baseKey (object): specify the CryptoKey to use as an input to the derivation algorithm.
derivedKeyAlgorithm (object): specify the algorithm defining what kind of key you want to create from the derived data.
extractable (boolean): enter true to allow for exporting the key with crypto.subtle.exportKey() or crypto.subtle.wrapKey().
keyUsages (array of strings): specify the list of possible operations with the key.
Derives a key from the base key.
deriveBits
algorithm (object): specify the derivation algorithm and its parameters. The exact object structure depends on the algorithm in use.
baseKey (object): specify the CryptoKey used as an input to the derivation algorithm.
length (number): specify the number of bits to derive.
Derives an array of bits from the base key.
importKey
format (string): specify the data format of the key to import. Possible values: raw, pkcs8, spki, jwk.
keyData (ArrayBuffer, TypedArray, DataView, or JSONWebKey)
algorithm (object): specify the algorithm defining the type of key to import and provide algorithm-specific parameters.
extractable (boolean): enter true to allow for exporting the key with crypto.subtle.exportKey() or crypto.subtle.wrapKey().
keyUsages (array of strings): specify the list of possible operations with the key.
Imports a key in an external portable format and returns a CryptoKey object.
exportKey
format (string): specify a data format to export the key. Possible values: raw, pkcs8, spki, jwk.
key (object): specify the CryptoKey to export.
Exports a CryptoKey and returns a key in an external portable format.
wrapKey
format (string): specify a data format in which the key will be exported before the encryption. Possible values: raw, pkcs8, spki, jwk.
key (object): specify the CryptoKey to wrap.
wrappingKey (object): specify the CryptoKey used to encrypt the exported key.
wrapAlgo (object): specify the algorithm for encrypting the exported key. The exact object structure depends on the algorithm in use.
Exports a key in an external portable format and encrypts it.
unwrapKey
format (string): specify the data format of the key to unwrap. Possible values: raw, pkcs8, spki, jwk.
wrappedKey (ArrayBuffer)
unwrappingKey (object): specify the CryptoKey to decrypt the wrapped key.
unwrapAlgo (object): specify the algorithm for decrypting the wrapped key. The exact object structure depends on the algorithm in use.
unwrapedKeyAlgo (object): specify the algorithm defining the type of key to unwrap and provide algorithm-specific parameters.
extractable (boolean): enter true to allow for exporting the key with crypto.subtle.exportKey() or crypto.subtle.wrapKey().
keyUsages (array of strings): specify the list of possible operations with the key.
Imports and decrypts a key that has been wrapped, returning a CryptoKey object.
Example:
< {% const keyPair = crypto.subtle.generateKey({ name: "RSA-PSS", modulusLength: 2048, publicExponent: new Uint8Array([1, 0, 1]), hash: "SHA-256" }, true, ["sign", "verify"]) const text = "Hello, HTTP Client Pre Script!!!"; const data = string2byteArray(text); const signature = crypto.subtle.sign( { name: "RSA-PSS", }, keyPair.privateKey, data ); const verified = crypto.subtle.verify( { name: "RSA-PSS", }, keyPair.publicKey, signature, data); client.log(`${text}, verified: ${verified}`); %} GET https://example.com/api/path
Example: generate JWTBelow is an example of how to create a JSON Web Token (JWT), which consists of three parts: a base64url-encoded header, a base64url-encoded payload (claims), and a cryptographic signature, generated using a SHA-256 algorithm. This token is then saved as a jwt_token pre-request variable and can be used to authenticate a request.
< {% const CLIENT_ID = request.environment.get("client_id"); // get variable from http-client.private.env.json const SECRET = request.environment.get("secret"); // get variable from http-client.private.env.json function base64UrlEncode(input) { const chars = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"; let binary = ""; for (let i = 0; i < input.length; i++) { binary += input.charCodeAt(i).toString(2).padStart(8, "0"); } let base64 = ""; for (let i = 0; i < binary.length; i += 6) { const chunk = binary.substring(i, i + 6); const index = parseInt(chunk.padEnd(6, "0"), 2); base64 += chars[index]; } return base64.replace(/=/g, "").replace(/\+/g, "-").replace(/\//g, "_"); } const header = { alg: "HS256", typ: "JWT" }; const payload = { iat: Math.floor(Date.now() / 1000), client_id: CLIENT_ID, iss: CLIENT_ID, user_id: "dev-user", user_representation: "dev user" }; const encodedHeader = base64UrlEncode(JSON.stringify(header)); const encodedPayload = base64UrlEncode(JSON.stringify(payload)); const unsignedToken = `${encodedHeader}.${encodedPayload}`; const signature = crypto.hmac.sha256() .withTextSecret(SECRET) .updateWithText(unsignedToken) .digest().toBase64(true); const token = `${unsignedToken}.${signature}`; request.variables.set("jwt_token", token); %} GET https://example.com/api/path Authorization: Bearer {{jwt_token}}
10 June 2025
RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4