Showing results for 
Search instead for 
Did you mean: 

Magento 2 REST API OAuth HMAC-SHA256 signature generation

Magento 2 REST API OAuth HMAC-SHA256 signature generation

Hi All


Magento version 2.4.3-p1 (CE)


I am trying to call a Magento REST API using OAuth authentication. I can't seem to get the HMAC-SHA256 signature to generate correctly after I followed the official guidance at:


I keep on getting the error that the signature code is invalid (http error code 401, error code 7).


Here is a snippet of my Javascript code (I know the keys are in the script but I reauthorized the API therefore the credentials in this script won't work for anyone to connect to our site):

//Variables required from the function calling this flow
var p_http_method = "GET";
var p_url = ""

//Static variables for Magento authorization
var p_oauth_version = "1.0";
var p_signature_method = "HMAC-SHA256";
var p_nonce = "d8SwwFAicMS"  //uuid.v4();
var p_consumer_key = "wypklfmtf6m53b0rfclxikr2xibopftu";
var p_access_token = "iuidk2l926cectr9sjlx5airsobui4zr";
var p_signing_key = ["fw17d1k3i70zldcy7xvuvtjjykrzw286","idzrukjakohp0d39k0x2yisocolhst6d"].join('&');

//Timestamp variable calculation
var t1 = new Date("1970-01-01 00:00:00");
var t2 = new Date();
var p_timestamp = 1665411771 //((t2.getTime() - t1.getTime()) / 1000).toFixed(0);

//Create the oauth signature
var p_sig_string = [encodeURIComponent(p_http_method), encodeURIComponent(p_url), encodeURIComponent('oauth_nonce=' + p_nonce), encodeURIComponent('oauth_signature_method=' + p_signature_method), encodeURIComponent('oauth_timestamp=' + p_timestamp), encodeURIComponent('oauth_version' + p_oauth_version), encodeURIComponent('oauth_consumer_key=' + p_consumer_key), encodeURIComponent('oauth_token'+p_access_token)].join('&');
var p_oauth_signature = crypto.createHmac('sha256', p_signing_key).update(p_sig_string).digest().toString('base64');

msg.payload = {
    "searchCriteria[pageSize]": 0,
    "p_oauth_signature": p_oauth_signature,
    "p_sig_string": p_sig_string

msg.headers = {
        'OAuth oauth_consumer_key=' + p_consumer_key 
        + ', oauth_token=' + p_access_token 
        + ', oauth_signature_method=' + p_signature_method
        + ', oauth_timestamp=' + p_timestamp
        + ', oauth_nonce=' + p_nonce
        + ', oauth_signature=' + p_oauth_signature

return msg;

Postman used the same parameters as I used above and returned the following signature: ZY6EzvKtlbLwgG+Cv1jAiWaCtVHWggMI+1dYnhneJQY=. This signature works and Magento does not reject the request (thus this signature is valid).


Can someone please assist with what is wrong in my script that I don't get the same signature generated as Postman? The above script returns the following signature: nRlC+FMv43UG0PQRW7PC9CxSlhd8UsSrFX7i3tYouuY=


I need the above script to return the same signature as what Postman is returning for the call to be successful.


I have tried to order the variable p_sig_string alphabetically but this also did not fix the issue.