Marmin logoAPI
Developer APIsReference documentation

Generate HMAC SHA256 signature

To obtain an API token, your backend must generate an HMAC SHA-256 signature using your Client ID and Client Secret. Marmin does not generate this signature for you—you compute it on your server and send it when calling the token endpoint.

Prerequisite: Obtain your Client ID and Client Secret from the Marmin web application (see Overview in the sidebar).

Signature rules
FieldValue
MessageClient ID
KeyClient Secret
AlgorithmHMAC SHA-256
EncodingBase64

Use your Client ID as the message (the data to sign) and your Client Secret as the key. Compute HMAC SHA-256 and encode the result in Base64. Send this value in the x-marmin-signature header when calling the Get API token endpoint.

For request and code examples in cURL, Node.js, Python, and Go, see Get API token in the sidebar.

Do's and don'ts
Do's

  • Generate the signature on the server – Always compute the HMAC on your backend (e.g. API server, serverless function). Only your server should have access to the Client Secret.

  • Use the exact inputs – Use the raw Client ID string as the message and the raw Client Secret as the key. Do not hash, prefix, or modify them before passing to HMAC.

  • Use HMAC SHA-256 and Base64 – Use standard HMAC-SHA256 and encode the binary result as Base64. Do not use hex or another encoding for the token request.

  • Store the Client Secret securely – Use a secrets manager or secure environment variables. Rotate the secret if you suspect it has been exposed.

  • Generate a fresh signature per token request – Each time you call the token endpoint, compute a new signature. Signatures are not long-lived credentials.

Don'ts

  • Do not generate the signature in the browser or mobile app – The Client Secret must never be embedded in frontend or mobile code. Anyone can inspect the client and extract the secret.

  • Do not commit the Client Secret to source control – Never put the Client Secret in code, config files, or public repositories. Use environment variables or a secrets service that is not committed.

  • Do not reuse an old signature – Each token request must include a newly computed signature. Reusing a previous signature may lead to authentication failures.

  • Do not use a different algorithm or encoding – Use only HMAC SHA-256 and Base64. Other algorithms or encodings will not be accepted by the token endpoint.

  • Do not log or expose the signature – Treat the signature like a password. Do not log it, send it to analytics, or expose it in URLs or client-side code.