Deployment API HMAC computation


We are interested in using the Deployment REST API and have a question about how to generate the HMAC computation referenced here:

Is there a code example that can be referenced so we can understand more about how the message should be constructed? I don't think there is enough information in that help article to enable writing code to be able to generate a message in the appropriate format.

Jun 17, 2020 19:05

Yes the documentation is awfully incomplete - it took me a long time just to realize the api endpoint is actually

You can use the powershell source for their own powershell api library as source:

# Initialize utils required for computing an HMAC and md5 signature/hash
    $hmacAlgorithm = New-Object System.Security.Cryptography.HMACSHA256
    $md5 = [System.Security.Cryptography.MD5]::Create()

    # Set the secret the HMAC algorithm uses for computing the signature
    $hmacAlgorithm.key = [System.Convert]::FromBase64String($ClientSecret)

    # Define the different parts that make up the HMAC signature
    $path = ([System.Uri] $RequestHash.Uri).PathAndQuery
    $method = $RequestHash.Method.ToUpperInvariant()
    $timestamp = [DateTimeOffset]::UtcNow.ToUnixTimeMilliSeconds().ToString("0")
    $nonce = (New-Guid).ToString("N")

    # Define the HTTP request payload that will be tacked on to the signature
    if ($RequestHash.Body) {
        $bodyBytes = [Text.Encoding]::UTF8.GetBytes($RequestHash.Body)
    else {
        $bodyBytes = [Text.Encoding]::UTF8.GetBytes('')

    $bodyHashBytes = $md5.ComputeHash($bodyBytes)
    $hashBody = [Convert]::ToBase64String($bodyHashBytes)

    # Combine all the parts into a signature message
    $message = "{0}{1}{2}{3}{4}{5}" -f $ClientKey, $method, $path, $timestamp, $nonce, $hashBody
    $messageBytes = [Text.Encoding]::UTF8.GetBytes($message)

    # Define the HMAC signature from the message
    $signatureHash = $hmacAlgorithm.ComputeHash($messageBytes);
    $signature = [Convert]::ToBase64String($signatureHash)

    # Define the authorization header for the HTTP request
    $authorization = "epi-hmac {0}:{1}:{2}:{3}" -f $ClientKey, $timestamp, $nonce, $signature


Download the package manually, rename the .nupkg file to zip. Extract the files. You find the code snippet above in "EpiCloud.psm1", line 304.

Nov 16, 2021 21:05
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.