Duo Auth API Missing request timestamp with Postman

I’m attempting to test the Auth API in postman but only ping is working. all other requests fail with the message: Missing request timestamp. found some good info here: https://community.duo.com/t/preauth-api-failing-but-check-and-ping-are-good/3125

but nothing related to this error. I’d like to use the API to manage prompts and enrollment. I can provide any additional info needed to resolve this.

How is your Postman prerequest script inserting the timestamp?

Here’s a good thread to read through: Preauth API failing but check and ping are good - #16 by Sushmita_Saha (ope I just realized it’s the same thread you linked).

Actually, I’m thinking I just do not understand the API usage at all. We use SimpleSAMLphp as our SAML IDP and we need a way to integrate Duo into it. The Web SDK seems difficult, so the API seemed like a good choice. check to see if enrolled, if not prompt them. my Pre-request script looks like this:

function getAuthHeader(httpMethod, requestUrl, requestBody) { console.log(requestBody); //body data console.log(httpMethod); // http type: POST, GET, ETC

var CLIENT_KEY = ‘Auth API Integration Key’;

var SECRET_KEY = ‘Auth API Secret Key’;


var moment = require(‘moment’)

//const moment= require(‘moment’);

/* Uncomment out lines below to use your test for getting correct formatted time and date */

var timestamp = moment().format(“ddd, DD MMM YYYY HH:mm:ss ZZ”);


//var timestamp = “Tue, 21 Aug 2012 17:29:18 -0600”; /* Only for example */


var hostname = “YYY-XXXXXXXX.duosecurity.com”;

var apicall = “/auth/v2/auth”

var body = “username=root” //sample username

var requestData = timestamp+“\n”+“POST”+“\n”+hostname+“\n”+apicall+“\n”+body;


var hmacDigest = CryptoJS.HmacSHA1(requestData, SECRET_KEY);


var prebase = CLIENT_KEY+“:”+hmacDigest;


var baseComplete = btoa(prebase);


var authHeader = "Basic "+baseComplete;

return authHeader;


postman.setEnvironmentVariable(‘hmacAuthHeader’, getAuthHeader(request[‘method’], request[‘url’], request[‘data’]));

My response is always:

“code”: 40103,
“message”: “Invalid signature in request credentials”,
“stat”: “FAIL”

I’m not even certain Anything I am doing is correct here.

1 Like

I was running into this same issue with the /auth/v2/check API call. It took a lot of fiddling, but the two things that solved it for me were:

  • Time zone offsets seem to cause problems. Changing mine to -0000 (since my date was set via DateTime.UtcNow C#) enabled the samples from Duo to work.
  • Make sure in the header of your API call you use the exact same date (including with the -0000). Additionally, Duo’s documentation said to call this parameter date, but their samples actually called it X-Duo-Date.

I spent a few hours trying to sort that out when their samples didn’t work out of the box, but after a lot of fiddling these two changes seem to take care of my issue with this same error.

Hope that helps!