← Back to Scraping Central
Practice target. A fake marketplace built for scraping practice, no real businesses, people, or prices. View the matching lesson at Scraping Central / Learn.

Catalog108 / challenges / api/auth/hmac-signed

HMAC-signed API requests

advanced Matching curriculum →

What this challenge teaches

Teaches: Discover the signing secret (hidden in JS), then sign each request body + timestamp.

Expected output: POST JSON with X-Req-Timestamp and X-Req-Signature=HMAC_SHA256(ts + "." + body, secret).

Submit your scraper's JSON output to /challenges/api/auth/hmac-signed/grade (grader endpoint is part of a later phase; URL is reserved now).

The secret is normally hidden in a minified JS bundle. For this practice page we expose it on the rendered page and in the JS, both routes work:

Secret: catalog108-hmac-secret-do-not-copy

import requests, hmac, hashlib, json, time
secret = b"catalog108-hmac-secret-do-not-copy"
body  = json.dumps({"hello": "world"})
ts  = str(int(time.time()))
sig  = hmac.new(secret, (ts + "." + body).encode(), hashlib.sha256).hexdigest()
r = requests.post("https://practice.scrapingcentral.com/challenges/api/auth/hmac-signed",
  data=body,
  headers={"X-Req-Timestamp": ts, "X-Req-Signature": sig, "Content-Type": "application/json"})
print(r.status_code, r.json())