Skip to content

Instantly share code, notes, and snippets.

@gocanto

gocanto/postman-jwt.js

Last active January 7, 2026 09:23
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save gocanto/7f3616211e9d003aae73fdc0d4646482 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save gocanto/7f3616211e9d003aae73fdc0d4646482 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
postman-jwt.js
// 1. Generate UNIX timestamp in seconds
const timestamp = Math.floor(Date.now() / 1000);
const expiration = timestamp + 300; // Token valid for 5 minutes
const header = {
"alg": "HS256",
"typ": "JWT"
};
// 2. Define Payload with your specific claims
const payload = {
"iat": timestamp, // Issued At (Standard Claim)
"exp": expiration, // Expiration (Recommended Standard Claim)
"SpinID": "473178637708820030", // Private/Public Claim
"RoundID": "RD1234", // Private/Public Claim
"PlayerID": "19182528", // Private/Public Claim
"GameID": "03EC", // Private/Public Claim
"BetAmount": 1000 // Private/Public Claim
};
const secret = pm.environment.get('jwt_secret') || '0102030405060708';
// Helper function for Base64URL
function base64url(source) {
let encodedSource = CryptoJS.enc.Base64.stringify(source);
return encodedSource
.replace(/=+$/, '')
.replace(/\+/g, '-')
.replace(/\//g, '_');
}
// 3. Process Header & Payload
const encodedHeader = base64url(CryptoJS.enc.Utf8.parse(JSON.stringify(header)));
const encodedData = base64url(CryptoJS.enc.Utf8.parse(JSON.stringify(payload)));
// 4. Create Signature
const token = `${encodedHeader}.${encodedData}`;
const signature = base64url(CryptoJS.HmacSHA256(token, secret));
// 5. Final Output
const signedToken = `${token}.${signature}`;
pm.environment.set("generated_jwt", signedToken);
console.log("JWT with custom claims generated:", signedToken);
@gocanto
Copy link
Author

gocanto commented Jan 7, 2026

Postman JWT Generator (HS256)

This script automates the creation of a JSON Web Token (JWT) using the HMAC SHA-256 algorithm. It is designed to be used in the Pre-request Script section of a Postman request or collection.

πŸš€ Features

  • Standard Claims: Automatically generates iat (Issued At) and exp (Expiration) timestamps.
  • Custom Claims: Includes specific business logic fields such as SpinID, RoundID, PlayerID, and GameID.
  • Base64URL Encoding: Implements a helper function to ensure the token is URL-safe according to RFC 7515.
  • Environment Integration: Securely pulls the secret key from Postman environments and saves the resulting token for use in subsequent requests.

πŸ›  Setup

  1. Environment Variable: Add a variable named jwt_secret to your Postman Environment.

    • Note: If not provided, it defaults to a fallback hardcoded secret (not recommended for production).

  2. Placement: Paste the script into the Pre-request Script tab of your request or folder.

  3. Authorisation: In the Auth tab of your request, select Bearer Token and use the variable {{generated_jwt}}.

πŸ“ Script Logic

The script follows the standard three-part JWT construction:

  1. Header: Defines the algorithm (HS256) and type (JWT).

  2. Payload:

    • iat: Current UNIX timestamp.
    • exp: Sets validity for 5 minutes (timestamp + 300s).
    • Includes custom gaming/transaction claims.

  3. Signature: HMAC-SHA256 hash of the header.payload using your secret key.

πŸ” Debugging

Open the Postman Console (Ctrl/Cmd + Alt + C) to view the generated token. You can verify the output by pasting the generated string into jwt.io.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment