Enabling HMAC authentication with Anypoint Platform


There are many applications that use HMAC-based authentication (for example Microsoft Teams’ chat bot). This blog explains how to create a reusable custom policy with MuleSoft Anypoint Platform in order to authenticate requests from applications using HMAC authentication.

[HMAC is a specific type of message authentication code. The client sends the HMAC original message (not encrypted) along with the hash. The server side receives the message and, using the secret token of the server, hashes the message to compare it with the received hash. If there is a match, then the authentication passes; if not, the authentication is declined.]

Steps to create a reusable custom policy for HMAC authentication:

  • Create a YAML config file using the secret token as the input parameter
    YAML config file
  • Create a Policy config XML file with the sample groovy script* shown in the image below, to take the input token (refer to step 1) to hash the incoming message for the HMAC authentication. 

*the sample groovy script needs to be added to the ‘before’ section of the policy xml file.

Policy config XML file

In this stage you can also specify message filters to apply if the inbound hash is null or not equal to the generated hash. The filters can refer to the processor chains which need to be defined outside the ‘before’ section of the policy.

  • Now we have the YAML config and XML Policy config ready to be imported in the API Manager. Click on Custom Policies and then click on the Add Custom Policy button.

    Custom policy
  • Choose the policy ‘runtimes older than Mule4’ (for Mule 4-based policies keep any eye out for our next blog). Provide the ‘Name’ of the policy and the file locations for YAML and Policy XML.
    Add custom policy
  • Now go to your Mule application/proxy and attach the custom policy you created. You should have an application to which to attach the policy, which is now visible in the Select Policy list.

    Attach custom policy
    • Click on Configure Policy:
      Configure policy
    • Specify the secret token (auth token) received from the client app:
      auth token
    • The policy is applied:
      Apply new policy

Now the HMAC-based client application can now test our Mule application to which we attached the policy.


If you would like to find out more about Anypoint Platform and how to enable HMAC authentication, we can help. Give us a call or email us at marketing@whishworks.com.

Other useful links:

How APIs can modernise legacy systems

MuleSoft Application Delivery

API Recipes with MuleSoft Anypoint Platform

Recent Posts