I'm a relatively new Javascript programmer and I'm experimenting with the Marvel API (I need to access the images for a project) and having a little trouble wrapping my head around the requirements.

As I understand it, you need to pass a hash and a ts (timestamp, I presume), when calling the API from a server-side app. But I don't see in the documentation that this is required when using a client-side app.

I tried to do some basic endpoint testing with Insomnia and I receive the message "You must provide a hash.". Apparently I need the hash for client-side access as well?

I have seen some NodeJS examples that show you how to generate the hash (for example, ), but nothing for the client side (that I could find). I also don't know how I would generate this within Insomnia (or Postman). Any pointers in the right direction would be appreciated.

I'd also like to ask what role the authorized domains play when accessing the Marvel API from a local machine. Do I need to add localhost to this list?

Thanks for any help!

I'm a relatively new Javascript programmer and I'm experimenting with the Marvel API (I need to access the images for a project) and having a little trouble wrapping my head around the requirements.

As I understand it, you need to pass a hash and a ts (timestamp, I presume), when calling the API from a server-side app. But I don't see in the documentation that this is required when using a client-side app.

I tried to do some basic endpoint testing with Insomnia and I receive the message "You must provide a hash.". Apparently I need the hash for client-side access as well?

I have seen some NodeJS examples that show you how to generate the hash (for example, https://www.raymondcamden.com/2014/02/02/Examples-of-the-Marvel-API), but nothing for the client side (that I could find). I also don't know how I would generate this within Insomnia (or Postman). Any pointers in the right direction would be appreciated.

I'd also like to ask what role the authorized domains play when accessing the Marvel API from a local machine. Do I need to add localhost to this list?

Thanks for any help!

• javascript
• request
• postman
• insomnia

• have you acquired your api key at least? – shanks Commented Oct 5, 2018 at 17:38
• Yes -- public and private, although I'm not sure where the private key comes into play. I see from examples on the web that one can access the API client-side using only the public key -- so I'm trying to set that up. But I don't know why it won't work with API testing apps like Postman/Insomnia -- don't they simulate client-side calls? I found the following article that references calling Marvel with Postman, but he has to generate hash and ts values to pass to Postman -- and I'm not clear why he needed to, if Postman emulates a client, or how he generated those... – Cerulean Commented Oct 5, 2018 at 17:43
• medium.com/@DKUSHandOJ/apis-and-postman-deliver-184ce17bf631 – Cerulean Commented Oct 5, 2018 at 17:43
• 1 Postman does not expose an api to generate hash for you (i think). You can only do that on the server side with built-in crypto type libs. So maybe find a service that you can call via postman scripting to pass the parameters (ts + pub + priv) and get back the hash which you can use, but I would advise against this as you expose your private key to the service which is supposed to be secret. – shanks Commented Oct 5, 2018 at 18:05
• 1 Not sure you can use localhost directly. maybe try ngrok.com to help you tunnel your localhost and get a url with which you register with them. – shanks Commented Oct 5, 2018 at 18:07

2 Answers 2

Follow the steps:

1. Pick an API Endpoint. eg: https://gateway.marvel.com:443/v1/public/characters
2. Use a query value for ts. ts could be timestamp or any long string. eg: ts=thesoer
3. Generate a MD5 hash of ts+privatekey+publickey through code or preferrably online. eg: md5(ts + privKey + pubKey) For md5 hash: http://www.md5.cz/
4. Join the dots. URL?ts=val&apikey=key&hash=md5Hash. eg. https://gateway.marvel.com:443/v1/public/characters?ts=thesoer&apikey=001ac6c73378bbfff488a36141458af2&hash=72e5ed53d1398abb831c3ceec263f18b

Add a pre-requisite script to your postman collection.

var pubkey = "your_public_key";
var pvtkey = "your_private_key";
var ts = new Date().getTime();

pm.environment.set("ts", ts)
pm.environment.set("apikey", pubkey)

var message = ts+pvtkey+pubkey;
var a = CryptoJS.MD5(message);
pm.environment.set("hash", a.toString())

And then you can make your calls like such

https://gateway.marvel.com/v1/public/characters?ts={{ts}}&apikey={{apikey}}&hash={{hash}}

See this collection.

Regarding your authorized domains, add your public IP.