Does Eventing 6.6 support HMAC or JWT token based authentication


I am using couchbase server 6.6 eventing with curl function that calls some REST services. These REST services support HMAC authentication and JWT token based authentication.

Can I generate JWT tokens in eventing?
Can I generate HMAC tokens in eventing?


Hi @FarisAhmed,

Currently the Couchbase Eventing service supports four styles of authentication via the bindings in the Function’s settings.

  • noauth
  • basic
  • digest
  • bearer

The first two are trivial (noauth and basic). For ‘basic’ couchbase curl call will inject the needed header for basic prior to sending the request so you don’t need passwords in your JavaScript.

Next we have digest, here you can test things out via a legal username postman and password via a public API, change the password and it will fail

curl --location --request GET '' --digest -u postman:password

Finally we have ‘bearer’ but this gets a bit more complicated to test (reach out to me via direct message if you want a detiled examples test jig and an eventing function).

Do we support HMAC via curl form eventing currently no, however digest is quite close to HMAC but HMAC goes a bit further What is HMAC Authentication and why is it useful? · Mark Wolfe's Blog if you had sha256 function in your Eventing JavaScript code you would be able to calculate the signature of your body then you insert the appropriate header, however I haven’t done this myself.

Intuitively it would be a “simple” as a function call

console.log(sha256.hmac('key', 'message'));

But we don’t allow importing libraries in Eventing (nor do we expose a sha256 function like we do for crc64() in Eventing) so you could base your utility of of public domain code such as sha256/sha256.js at gh-pages · geraintluff/sha256 · GitHub or GitHub - emn178/js-sha256: A simple SHA-256 / SHA-224 hash function for JavaScript supports UTF-8 encoding.

If this capability being built into Eventing important or critical to you please reach out to your sales channel and have them open up CBSE (our internal enhancement request tracking process)

Hope this helps

Jon Strabala