Signing a message with a secret key

I am trying to sign a message which is sent as a payload for authentication. This message consists of a nonce, plus the unsigned and the signed message, including the api key which the other party should use to authenticate me.

I am using the following,

  type: coda.AuthenticationType.Custom,
  params: [
    { name: "api_key", description: "API key." },
    { name: "api_secret", description: "API secret." },

I then get these values on addFormula like so

  execute: async function ([from, to, text], context) {
    // Create the placeholders for the API key and secret.
    let invocationToken = context.invocationToken;
    let apiKeyPlaceholder = "{{api_key-" + invocationToken + "}}";
    let apiSecretPlaceholder = "{{api_secret-" + invocationToken + "}}";

   // Do signing of a message with "crypto" library or CryptoJS
   // Do request

I can CLEARLY see that the placeholders are not being replaced which causes the token to be incorrect. I have corroborated that my signing function works (when hardcoding the secret and api key).

I know this might be because these placeholders are probably switched only inside the scope of fetch, but is there another way I can sign tokens?

All help is totally appreciated

Hi @Edgar_Hernandez1 - Unfortunately I don’t think this will be possible with our authentication system today. The Custom auth placeholders are only replaced after you call fetch(), so any signature generation you do in your code will be using the placeholders and not the real values, leading to an invalid signature.

Can you point me to the docs for this API? If this is a standard authentication type then perhaps we can add support for it.

Hi @Eric_Koleda, thanks for the fast reply.

Sure, here you have an example

I believe quite a bit of exchanges use this authentication method.

As a separate but related question, is the placeholder replaced remotely? Meaning that the secrets are stored on coda instead of locally?

Hi @Edgar_Hernandez1 - Thanks for the additional context, that’s really helpful. I’ll raise this case with the engineering team and see if they have any other ideas.

That is correct, for all of the authentication mechanisms the credentials are securely stored in Coda and injected into the outgoing requests. When developing using the CLI the npx coda auth command can be used to generate and store local credentials for testing, but they are never sent to the server when you upload the Pack.