Has anyone successfully called an API using Hawk Authentication in Make?

Hi all,

I’m currently trying to integrate with an API that uses Hawk Authentication .

I couldn’t find any documentation on Make natively supporting Hawk, so I’ve set up a Cloudflare Worker to generate the Hawk Authorization header dynamically.

My flow works like this:

1 - Make calls the Cloudflare Worker to generate the Hawk header.
2 - The Worker returns the Authorization header string.
3 - It then pass the Authorization header into a standard Make HTTP module to call the API.

The Cloudflare Worker is generating valid headers. I’ve confirmed that when I copy the exact Authorization header from the Worker response into Postman, the API call succeeds perfectly.

However, when I attempt the same request through Make, I keep getting:

401 Unauthorized

I’ve verified:

  • The URI signed and the request URL match exactly.
  • I’m passing the Hawk header as a dynamic value.
  • Query parameters are being sent using the query string field.
  • The request is being executed immediately after generating the header.

At this point, I am not sure what else to try. Has anyone here successfully called an API using Hawk authentication within Make?

Any help is greatly appreciated.

Hi! Welcome to the Community!

From what I can find out, I think you’re the first to try this. Congratulations! :wink:

Can you share more details on how you created the Hawk Authentication request MAC in Make?

Hi David,

That’s unfortunate. I was hoping someone else had already accomplished this and my research skills were lacking! :grinning_face_with_smiling_eyes:

As I mentioned, I’ve been unable to generate the MAC directly inside Make. Instead, I’ve offloaded this to a Cloudflare Worker.

The flow I’m using in Make is:

1 - First HTTP module calls the Cloudflare Worker, which generates the Hawk Authorization header (with timestamp, nonce, and MAC calculated).
2 - The Worker returns the full Authorization header string.
3 - The second HTTP module then calls the API, injecting the Authorization header received from the first.

Does Make change anything when handling query string serialization or headers, It’s the only possibility I can think of as to why this isn’t working?

Appreciate you taking the time to reply.

I see. And you’re 100% certain that the calculated Authorization string is correct?

One other thing you could do is to use the Make DevTool to analyze the content of the exact API call that your second HTTP module is making.

There are a couple of alternative strategies you could follow, avoiding the need to use an external service like Cloudflare (though it would still be best to diagnose the existing problem first!):

  • If you were using a Make Enterprise plan (which I’m guessing is not the case) you could create a Custom Function using JavaScript to calculate the MAC
  • You could build a Custom App for the API you’re accessing. Custom apps can use Custom IML Functions, which you write in JavaScript.

Hi David,

Thank you again; I appreciate your suggestions.

You’re probably right that the issue is related to how the Cloudflare Worker signs the request compared to how Make sends it. I’ve double-checked the URI, method, and query string handling, but I couldn’t resolve the 401 error.

Just to make sure I’m understanding correctly, are the Custom Function and Custom App suggestions meant as two separate options, or is the Custom App route only viable if you’re on the Enterprise plan?

From what I’ve read in the Make documentation, IML in Custom Apps only supports JavaScript built-in objects and Buffer, which seems to rule out using external libraries like hawk. I also noticed that Custom IML Functions aren’t available by default and require contacting support to enable them. Given that, and the fact that we’re not on the Enterprise plan, I just wanted to confirm, are there any viable paths to implement Hawk signing logic in a Custom App using only IML, or is this realistically only possible with Enterprise-level access?

Thanks again for your help

Custom Functions are only available on the Enterprise plan. Custom Apps are available on all plans (even Free).

IML Functions in Custom Apps do need to be requested, but requests are almost always granted.

I hadn’t realized you were using an external library though … that’s not possible with either route sadly.