Preauth API failing but check and ping are good


Hi Team,

I reffed to to use DUO Auth API for check and preauth.
i used this and with this the ping and check API’ are success but Preauth api i am getting 40103 Invalid signature in request credentials and i am using the correct ikey and skey that are created for Auth API in duo admin console

Could you please suggest me on how to resolve this issue.

Thank you


Per this Duo KB article, please try the following suggestions:

Verify that the signature is encoded in hexadecimal ASCII; is using the correct HMAC-SHA1 signature as the password; lists parameters in alphabetical order.


@DuoKristina what exactly does that mean? I’m using Postman simply to test and I’m receiving the same error.


Hey @humblecoder,

Did you take a look at the KB article I referenced, which lists common Duo error codes and possible causes?


@DuoKristina I did indeed. In fact I’d seen it before coming here. I don’t mean to be obtuse, but are you referring to the parameter structure as a “signature”? I’ve never seen “signature” in that context and have no idea how it’s being used.

Also, while the KB article ostensibly says what the fix is, it doesn’t make clear how that is accomplished. I mean, from my perspective, I’m sending the request in plain text via PostMan. I can’t imagine what else to fix.



By “signature” we do refer to the computed SHA1 of the API request (with parameters) as described in here: Auth API | Duo Security.

Are you also having a success on /check but fail on /preauth? Or, is nothing successful?


@DuoKristina Actually, I can’t get anything to succeed. Here is the JS I’m using to create the relevant params in PostMan:

	let curDate = (new Date()).toUTCString()
	let myHost = 'HIDDEN-HOST'

	let params = {
			'device': 'auto',
			'factor': 'push',
			'username': 'HIDDEN-NAME'

	let urlEncodedParams = []

		urlEncodedParams.push(encodeURIComponent(k) + '=' + encodeURIComponent(v))

	let sigComponents = {
			'date': curDate,
			'host': myHost,
			'method': 'POST',
			'path': '/auth/v2/auth',
			'urlParam': urlEncodedParams.join('&')

	let ■■■■ing = Object.values(sigComponents).join('\r\n')

	let hmacSignature = CryptoJS.HmacSHA1(sigComponentValueString, 'HIDDEN-STRING').toString()

	pm.environment.set("env_new_date", curDate)
	pm.environment.set("env_hmac_signature", hmacSignature);


Obviously a convoluted process (especially given the nature of the requirement), but is there anything glaringly wrong.


@DuoKristina It would be nice to have far more descriptive errors, especially in “development”. Perhaps we could see on our dashboard what was sent vs what the server compared it to.