How Hashing Works

AutoProctor uses HMAC with SHA-256 for authentication. This page explains the key concepts and shows you how to compute the hash values you'll need.

Key Concepts

Test Attempt: AutoProctor's basic unit of storage. Every proctored test maps to a test attempt. For example, if you have 5 candidates and each of them attempts 2 separate tests, these correspond to 10 different test attempts.
testAttemptId: Each test attempt is identified by a unique testAttemptId. Pass the unique identifier from your system — the ID stored in your database — as this parameter.
hashedTestAttemptId: AutoProctor runs in the browser, so you cannot include your CLIENT_SECRET in frontend code — it would be visible to anyone inspecting network requests. Instead, your backend computes a SHA-256 HMAC hash of the testAttemptId using the CLIENT_SECRET as the key, and passes it to the frontend. AutoProctor holds a copy of your CLIENT_SECRET and computes the same hash server-side to verify the request.

NEVER expose CLIENT_SECRET in frontend code. The docs compute hashes client-side for demonstration purposes only. In production, always compute hashes on your backend server.

How It Works

Your CLIENT_SECRET is the HMAC key, and the relevant parameter (e.g. testAttemptId) is the message. Every request must also carry your CLIENT_ID. For example, a request to fetch results for a testAttemptId includes:

CLIENT_ID
testAttemptId
Hash (HMAC) of testAttemptId

Given any message, the hash is the SHA-256 hash with the CLIENT_SECRET as the HMAC key.

Client Libraries for Calculating the Hash

The following editor shows how to calculate the hash of the Test Attempt ID in several languages.

Compute SHA-256 HMAC

Use this tool to calculate and verify hashes for different messages (test attempt IDs, in this case). Enter your values to confirm that the hash your backend computes matches the expected output.

Message:

Key:

Result: