createAuthenticatedSessionToken: The signature of the request does not match the request parameters


  • I'm creating an app using the SODA Architecture. 

    I could successfully create an app and make the client to authorize it. 

    Result of newApplicationCreationInfo:

    <?xml version="1.0" encoding="UTF-8"?>
       <wc:info xmlns:wc="">

    I'm using the app-token to build the redirect url, and I get to authorize the new app. 

    then, using the new child app id and the shared-secret I built the 


    <?xml version="1.0" encoding="UTF-8"?>
    <wc-request:request xmlns:wc-request="">
                   <hmacSig algName="HMACSHA256">PcW4f9krD1O43O4JGBGEkqDlpatFIUUQY9JejHji0XA=</hmacSig>

    Being hmacSig value the encryption of "<content>....</content>" using shared-secret value as private key:

    hmacSig = Encodingutil.base64Encode(Crypto.generateMac('hmacSHA256', Blob.valueOf(body), Blob.valueOf(sharedSecret)))

    this returns an error code 11: The signature of the request does not match the request parameters.

    I'm using the following endpoint:
    Also the redirection url I received after authorizing the app contains the following: 
    https://<MY_URL>/?gws_rd=cr&ei=h5ewUuKLJa7IsASc4YHIAw I'm not using this parameters, if that helps.

    Any hint will be greatly appreciated.

    UPDATE: I already checked the HMAC encoding using a third party service and it returned the same as my app

    • Edited by Fernando Rod Tuesday, December 17, 2013 7:34 PM Clarification
    Tuesday, December 17, 2013 7:31 PM


  • I figured this out (God bless Pair Programming):

    I was signing incorrectly: 

    On the newApplicationCreationInfo:

    My Shared Secret is : gBksYDAqcuAUXK+zyvfFW9F0sy8nchwnplJ6K7aKmAM=

    But BEFORE hashing the "<content>...</content>" i need to decode my secret that is:

    hmacsig = calculateHMAC256(content, sharedSecret.decodeBase64())

    • Marked as answer by Fernando Rod Tuesday, December 31, 2013 1:46 PM
    Tuesday, December 31, 2013 1:45 PM