Issue Generating Valid SAS Token for Azure Service Bus Using Postman - Receiving 401 SubCode=40103 Error

Question

Issue Generating Valid SAS Token for Azure Service Bus Using Postman - Receiving 401 SubCode=40103 Error

David Blaszyk 0

I am experiencing persistent issues when attempting to generate and use a SAS token for Azure Service Bus via Postman. The token generation script runs without errors in Postman's pre-request script, but when sending a POST request to the /messages endpoint, I receive a 401 SubCode=40103: Invalid authorization token signature response. This occurs on a newly created namespace, while the same script works on an older namespace.

Steps to Reproduce:

Set up environment variables in Postman for namespace, shared access key name, shared access key, and entity path (a queue).
Use a pre-request script to generate the SAS token using CryptoJS.HmacSHA256, with proper URI encoding, newline in string-to-sign, and base64 parsing of the key.
Send a POST request to https://{namespace}.servicebus.windows.net/{queue}/messages with Authorization: {{sasToken}} and Content-Type: application/json, body {"body": "test message"}.
Observe the 401 SubCode=40103 error.

What I've Tried:

Verified the SAS token generation with newline in string-to-sign, base64 key parsing, and 1-hour TTL with buffer.
Ensured TLS 1.2 in Postman settings.
Used entity URI for sr parameter in the token.
Tested with a temporary queue and namespace-level policy with Send rights.
Confirmed key length (44 chars) and parsed bytes (32).
The script logs show successful token creation, but the request fails.

Environment:

Postman Desktop App (latest version as of September 18, 2025).
Azure Service Bus Standard tier.
REST API endpoint for sending messages.

Requested Assistance: Please advise if SAS tokens for REST API are still supported in 2025, or if there's a deprecation affecting new namespaces. If supported, what configuration issues could cause this 401 SubCode=40103 error, and how can I resolve it? Any recommended alternate methods for authentication in Postman would be helpful. Thank you for your support.I am experiencing persistent issues when attempting to generate and use a SAS token for Azure Service Bus via Postman. The token generation script runs without errors in Postman's pre-request script, but when sending a POST request to the /messages endpoint, I receive a 401 SubCode=40103: Invalid authorization token signature response. This occurs on a newly created namespace, while the same script works on an older namespace.

Steps to Reproduce:

Set up environment variables in Postman for namespace, shared access key name, shared access key, and entity path (a queue).
Use a pre-request script to generate the SAS token using CryptoJS.HmacSHA256, with proper URI encoding, newline in string-to-sign, and base64 parsing of the key.
Send a POST request to https://{namespace}.servicebus.windows.net/{queue}/messages with Authorization: {{sasToken}} and Content-Type: application/json, body {"body": "test message"}.
Observe the 401 SubCode=40103 error.

What I've Tried:

Verified the SAS token generation with newline in string-to-sign, base64 key parsing, and 1-hour TTL with buffer.
Ensured TLS 1.2 in Postman settings.
Used entity URI for sr parameter in the token.
Tested with a temporary queue and namespace-level policy with Send rights.
Confirmed key length (44 chars) and parsed bytes (32).
The script logs show successful token creation, but the request fails.

Environment:

Postman Desktop App (latest version as of September 18, 2025).
Azure Service Bus Standard tier.
REST API endpoint for sending messages.

Requested Assistance: Please advise if SAS tokens for REST API are still supported in 2025, or if there's a deprecation affecting new namespaces. If supported, what configuration issues could cause this 401 SubCode=40103 error, and how can I resolve it? Any recommended alternate methods for authentication in Postman would be helpful. Thank you for your support.

Rupesh Asati 865 Reputation points Microsoft External Staff Moderator

2025-09-18T14:25:01.89+00:00
Hello David Blaszyk

Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.

From your description, we are sorry to hear you're running into an issue, receiving a 401 SubCode=40103: Invalid authorization token signature error when attempting to use a Shared Access Signature (SAS) token for Azure Service Bus via Postman. This error indicates that the SAS token's signature is invalid or improperly formatted.

Steps to verify:

Incorrect String-to-Sign Construction: Ensure the string-to-sign is formatted correctly, including the correct newline characters and proper encoding. Any deviation can cause the signature to be invalid.

Improper URI Encoding: Special characters in the SAS token, such as +, /, and =, should be URL-encoded to prevent misinterpretation by browsers or HTTP clients. For instance, + should be encoded as %2B.

Mismatch Between SAS Key Name and Key: Verify that the SAS key name (sasKeyName) and the corresponding SAS key (sasKey) match the values configured in the Azure portal.

Incorrect Permissions: Ensure that the SAS token has the necessary permissions to perform the desired operation. For sending messages, the SAS token should have Send permissions.

Key Format Issues: Confirm that the SAS key is in the correct format. It should be a Base64-encoded string. Any formatting issues can lead to signature mismatches

Reference: https://free.blessedness.top/en-us/azure/service-bus-messaging/service-bus-sas

If issue still persists. Please help me with the following information:

The exact string-to-sign used.

The SAS token generated (excluding the actual key).

The permissions associated with the SAS token.

Any relevant logs or error messages.

I hope the provided answer is helpful, do let me know if you have any further questions on this.

Thanks

David Blaszyk 0

There are no log / errors message besides what I gave to you in the title. I can provide the complete unit tester but will do so from a support ticket on my Azure Portal instance.

Here is the code, without the access key:

// Postman Pre-Request Script Method to Parse Connection String and Generate SAS Token
// Embed this function in your pre-request script
// Use: const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
// Set pm.environment.set('sasToken', sasToken);

// Function to parse connection string and generate SAS token
function parseAndGenerateSasToken(connectionString, entityPath, ttl = 3600) {
    try {
        console.log("[DEBUG] Starting connection string parsing and SAS token generation");

        // Parse the connection string
        const parts = connectionString.split(';');
        const endpointPart = parts.find(p => p.startsWith("Endpoint="));
        const saNamePart = parts.find(p => p.startsWith("SharedAccessKeyName="));
        const saKeyPart = parts.find(p => p.startsWith("SharedAccessKey="));

        if (!endpointPart || !saNamePart || !saKeyPart) {
            throw new Error("Invalid connection string: Missing Endpoint, SharedAccessKeyName, or SharedAccessKey");
        }

        // Extract values
        const endpoint = endpointPart.split('=')[1];
        const saName = saNamePart.split('=')[1];
        const saKey = saKeyPart.split('=')[1];

        // Derive namespace from endpoint (remove 'sb://' and trailing '/')
        const namespace = endpoint.replace('sb://', '').replace(/\/$/, '');

        console.log(`[DEBUG] Parsed namespace: ${namespace}`);
        console.log(`[DEBUG] Parsed saName: ${saName}`);
        console.log(`[DEBUG] Parsed saKey length: ${saKey.length}`); // Avoid logging full key

        // Construct entity URI for SAS token (sr parameter)
        const uri = `https://${namespace}/${entityPath}`;

        console.log(`[DEBUG] Constructed URI: ${uri}`);

        // Generate SAS token
        const encoded = encodeURIComponent(uri);
        console.log(`[DEBUG] Encoded URI: ${encoded}`);
        const expiry = Math.floor(Date.now() / 1000) + ttl + 300; // Buffer for clock skew
        console.log(`[DEBUG] Expiry timestamp: ${expiry}`);
        const stringToSign = encoded + '\n' + expiry;
        console.log(`[DEBUG] String to sign (raw): "${stringToSign}"`); // Verify \n
        console.log(`[DEBUG] String to sign (split): [${stringToSign.split('\n')}]`); // Confirm split

        // Parse base64-encoded key to bytes
        const parsedKey = CryptoJS.enc.Base64.parse(saKey);
        console.log(`[DEBUG] Parsed key length (bytes): ${parsedKey.sigBytes}`); // Should be 32

        // Compute HMAC-SHA256
        const hmac = CryptoJS.HmacSHA256(stringToSign, parsedKey);
        const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac);
        const encodedSignature = encodeURIComponent(hashInBase64);

        const token = `SharedAccessSignature sr=${encoded}&sig=${encodedSignature}&se=${expiry}&skn=${saName}`;
        console.log(`[DEBUG] Final SAS token: ${token}`);
        return token;
    } catch (error) {
        console.error(`[ERROR] SAS token generation failed: ${error.message}`);
        return null;
    }
}

// Example usage with your connection string
const connectionString = "Endpoint=sb:{namespace}.servicebus.windows.net/;SharedAccessKeyName=SendAccessPolicy;SharedAccessKey=";
const entityPath = "testrun"; // Your queue or topic name
const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
if (sasToken) {
    pm.environment.set("sasToken", sasToken);
    console.log("[DEBUG] SAS token set successfully");
} else {
    console.error("[ERROR] Failed to generate SAS token");
}

// Use in request: Authorization: {{sasToken}}

Rakesh Mishra 2,265 Microsoft External Staff Moderator

Hi David Blaszyk, Thank you for the details. It really helped to understand the scenario.

Could you please try below in order and let us know the findings here or in Private Messages.

Modify Pre-Request Script Method
- Remove const parsedKey = CryptoJS.enc.Base64.parse(saKey); in your pre-request script. Directly pass saKey to CryptoJS.HmacSHA256(stringToSign, parsedKey); as shown below.
```
   // Use the base64 key string as-is (do NOT base64-decode it)
   const parsedKey = saKey; // keep the base64 text string
   // Compute HMAC-SHA256 using the key string (or use Utf8.parse if preferred)
   const hmac = CryptoJS.HmacSHA256(stringToSign, parsedKey);
   const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac);
   const hashInBase64 = CryptoJS.HmacSHA256(
```
- Alternatively, CryptoJS.HmacSHA256(stringToSign, CryptoJS.enc.Utf8.parse(saKey)) is also fine - but do not use CryptoJS.enc.Base64.parse(saKey). That decoding is the common cause of an invalid signature.
If the token still fails, check for Local Authentication in the Azure Portal.
1. In Azure Portal go to the Service Bus namespace (the new namespace).
2. On the namespace page, look at Overview / Essentials — find the Local Authentication / Local auth value (it shows Enabled or Disabled).
3. If Local Authentication is Disabled, SAS tokens will be rejected (see step 3).
4. If Local Authentication is Enabled, continue to step 4 below.

If Local Authentication is Disabled
If the portal shows Local Authentication = Disabled, SAS will be rejected. You have two choices:

Re-enable Local Authentication
1. In the namespace page, find the Local Authentication setting (Overview / Essentials or the Local Authentication link).
2. Change it to Enabled.
3. Re-run your Postman test (with the code change from step 1).

Use Azure AD (Service Principal) instead If you prefer to keep local auth disabled (more secure), switch your Postman flow to use Azure AD client_credentials (service principal). Steps summary:

Create an App Registration and client secret (or use existing).
Assign the app the Azure Service Bus Data Sender role on the namespace (IAM → Add role assignment).
In Postman set environment vars tenantId, clientId, clientSecret, (optional scope = https://servicebus.azure.net/.default).
Paste the client_credentials into Postman Pre-request Script below.

      // Postman Pre-request Script: AAD client_credentials for Service Bus (v2.0)
      // Requires env vars: tenantId, clientId, clientSecret
      // Optional: scope (defaults to https://servicebus.azure.net/.default)
      
      (function() {
        const tokenEnv = 'aadAccessToken';
        const expiryEnv = 'aadAccessTokenExpiry'; // unix seconds
        const expiresInEnv = 'aadAccessTokenExpiresIn';
      
        const tenantId = pm.environment.get('tenantId');
        const clientId = pm.environment.get('clientId');
        const clientSecret = pm.environment.get('clientSecret');
        const scope = pm.environment.get('scope') || 'https://servicebus.azure.net/.default';
      
        if (!tenantId || !clientId || !clientSecret) {
          console.error('Missing one or more required environment variables: tenantId, clientId, clientSecret');
          return;
        }
      
        const now = Math.floor(Date.now()/1000);
        const cached = pm.environment.get(tokenEnv);
        const expiry = parseInt(pm.environment.get(expiryEnv) || '0', 10);
      
        // If token exists and is valid for > 60s, reuse
        if (cached && expiry - now > 60) {
          // token still valid
          return;
        }
      
        // Acquire token (v2.0 endpoint using scope)
        const tokenUrl = `https://login.microsoftonline.com/${tenantId}/oauth2/v2.0/token`;
        const body = `client_id=${encodeURIComponent(clientId)}&client_secret=${encodeURIComponent(clientSecret)}&scope=${encodeURIComponent(scope)}&grant_type=client_credentials`;
      
        pm.sendRequest({
          url: tokenUrl,
          method: 'POST',
          header: {
            'Content-Type': 'application/x-www-form-urlencoded'
          },
          body: {
            mode: 'raw',
            raw: body
          },
          timeout: 20000
        }, function (err, res) {
          if (err) {
            console.error('AAD token request failed:', err);
            return;
          }
      
          if (!res || res.code !== 200) {
            console.error('AAD token request returned non-200. Code:', res && res.code, 'Body:', res && res.text());
            return;
          }
      
          try {
            const j = res.json();
            const accessToken = j.access_token;
            const expiresIn = parseInt(j.expires_in || '3599', 10);
            const expiryTs = Math.floor(Date.now()/1000) + expiresIn;
      
            pm.environment.set(tokenEnv, accessToken);
            pm.environment.set(expiryEnv, expiryTs);
            pm.environment.set(expiresInEnv, expiresIn);
      
            console.log(`Fetched new AAD token; expires in ${expiresIn}s (at ${expiryTs})`);
          } catch (e) {
            console.error('Failed parsing AAD token response:', e);
          }
        });
      })();

Use header: Authorization: Bearer {{aadAccessToken}} for requests

If Local Authentication is Enabled but you still get 401 Check if an Azure Policy applied at creation time forced settings:
1. Portal → Subscriptions (or the Resource Group used to create the namespace) → Policy → Assignments.
2. Search assignments for anything referencing Service Bus, disableLocalAuth, or names like “disable local auth” / “Service Bus security”.
3. If you find a policy that mentions disableLocalAuth or a policy that looks relevant, use Azure AD (Service Principal) mentioned above.
If all of the above still does not fix it - share below in private messages.
1. The exact stringToSign printed by your script (this is NOT secret). Example: https%3A%2F%2Fns.servicebus.windows.net%2FqueueName\n1700000000
2. One example generated token (redact secret characters): SharedAccessSignature sr=...&sig=ABCD***XYZ%3D&se=1700000000&skn=SendAccessPolicy
  - Keep the token structure and length, just replace the middle of the sig/key with ***.
3. The 401 response headers (copy/paste response headers: TrackingId, Timestamp, WWW-Authenticate, etc.).

David Blaszyk 0

Is this the corrected changes, something does not seem right with this:

        // Compute HMAC-SHA256
        const hmac = CryptoJS.HmacSHA256(stringToSign, parsedKey);
        const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac);
        const encodedSignature = encodeURIComponent(hashInBase64);

        const token = `SharedAccessSignature sr=${encoded}&sig=${encodedSignature}&se=${expiry}&skn=${saName}`;
        console.log(`[DEBUG] Final SAS token: ${token}`);

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.

Rakesh Mishra 2,265 Microsoft External Staff Moderator

Hi David Blaszyk,

Please try with below code mentioned in Step1(my last response above) and please follow the next suggestions. Please let me know the findings to assist you further on this.

Reference: https://medium.com/javarevisited/send-message-to-azure-service-bus-via-postman-using-sas-token-in-1-step-a845686baad0

Here is the full modified code

// Postman Pre-Request Script Method to Parse Connection String and Generate SAS Token
// Embed this function in your pre-request script
// Use: const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
// Set pm.environment.set('sasToken', sasToken);
// Function to parse connection string and generate SAS token
function parseAndGenerateSasToken(connectionString, entityPath, ttl = 3600) {
    try {
        console.log("[DEBUG] Starting connection string parsing and SAS token generation");
        // Parse the connection string
        const parts = connectionString.split(';');
        const endpointPart = parts.find(p => p.startsWith("Endpoint="));
        const saNamePart = parts.find(p => p.startsWith("SharedAccessKeyName="));
        const saKeyPart = parts.find(p => p.startsWith("SharedAccessKey="));
        if (!endpointPart || !saNamePart || !saKeyPart) {
            throw new Error("Invalid connection string: Missing Endpoint, SharedAccessKeyName, or SharedAccessKey");
        }
        // Extract values
        const endpoint = endpointPart.split('=')[1];
        const saName = saNamePart.split('=')[1];
        const saKey = saKeyPart.split('=')[1];
        // Derive namespace from endpoint (remove 'sb://' and trailing '/')
        const namespace = endpoint.replace('sb://', '').replace(/\/$/, '');
        console.log(`[DEBUG] Parsed namespace: ${namespace}`);
        console.log(`[DEBUG] Parsed saName: ${saName}`);
        console.log(`[DEBUG] Parsed saKey length: ${saKey.length}`); // Avoid logging full key
        // Construct entity URI for SAS token (sr parameter)
        const uri = `https://${namespace}/${entityPath}`;
        console.log(`[DEBUG] Constructed URI: ${uri}`);
        // Generate SAS token
        const encoded = encodeURIComponent(uri);
        console.log(`[DEBUG] Encoded URI: ${encoded}`);
        const expiry = Math.floor(Date.now() / 1000) + ttl + 300; // Buffer for clock skew
        console.log(`[DEBUG] Expiry timestamp: ${expiry}`);
        const stringToSign = encoded + '\n' + expiry;
        console.log(`[DEBUG] String to sign (raw): "${stringToSign}"`); // Verify \n
        console.log(`[DEBUG] String to sign (split): [${stringToSign.split('\n')}]`); // Confirm split
        // --- MINIMAL CHANGE: DO NOT base64-decode the key before HMAC ---
        // Use the base64 key string as the HMAC key (treat it as UTF-8 bytes)
        
        const parsedKey = CryptoJS.enc.Utf8.parse(saKey);
        // Compute HMAC-SHA256
        const hmac = CryptoJS.HmacSHA256(stringToSign, parsedKey);
        const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac);
        const encodedSignature = encodeURIComponent(hashInBase64);
        const token = `SharedAccessSignature sr=${encoded}&sig=${encodedSignature}&se=${expiry}&skn=${saName}`;
        console.log(`[DEBUG] Final SAS token: ${token}`);
        return token;
    } catch (error) {
        console.error(`[ERROR] SAS token generation failed: ${error.message}`);
        return null;
    }
}
// Example usage with your connection string
const connectionString = "Endpoint=sb://SERVICEBUS-NAME.servicebus.windows.net/;SharedAccessKeyName=SendAccessPolicy;SharedAccessKey=";
const entityPath = "testrun"; // Your queue or topic name
const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
if (sasToken) {
    pm.environment.set("sasToken", sasToken);
    console.log("[DEBUG] SAS token set successfully");
} else {
    console.error("[ERROR] Failed to generate SAS token");
}
// Use in request: Authorization: {{sasToken}}

Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator

2025-09-23T04:56:55.54+00:00

Hi David Blaszyk, I have reached out to you over private message. Could you please check and share the requested information.

David Blaszyk 0

I did figure this out, my string parsing was incorrect, here is a snapshot of the updated code:

// Postman Pre-Request Script Method to Parse Connection String and Generate SAS Token
// Embed this function in your pre-request script
// Use: const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
// Set pm.environment.set('sasToken', sasToken);
// Function to parse connection string and generate SAS token
function parseAndGenerateSasToken(connectionString, entityPath, ttl = 3600) {
    try {
        console.log("[DEBUG] Starting connection string parsing and SAS token generation");
        // Parse the connection string
        const parts = connectionString.split(';');
        const endpointPart = parts.find(p => p.startsWith("Endpoint="));
        const saNamePart = parts.find(p => p.startsWith("SharedAccessKeyName="));
        const saKeyPart = parts.find(p => p.startsWith("SharedAccessKey="));
        if (!endpointPart || !saNamePart || !saKeyPart) {
            throw new Error("Invalid connection string: Missing Endpoint, SharedAccessKeyName, or SharedAccessKey");
        }
        // Extract values
        // ISSUE: split('=')[1] can fail if value contains '=', truncating base64 keys.
        // FIX: Use substring after first '=' to preserve full value including padding.
        const endpoint = endpointPart.substring(endpointPart.indexOf('=') + 1);
        const saName = saNamePart.substring(saNamePart.indexOf('=') + 1);
        const saKey = saKeyPart.substring(saKeyPart.indexOf('=') + 1);
        // Derive namespace from endpoint (remove 'sb://' and trailing '/')
        const namespace = endpoint.replace('sb://', '').replace(/\/$/, '');
        console.log(`[DEBUG] Parsed namespace: ${namespace}`);
        console.log(`[DEBUG] Parsed saName: ${saName}`);
        console.log(`[DEBUG] Parsed saKey length: ${saKey.length}`); // Avoid logging full key
        // Construct entity URI for SAS token (sr parameter)
        // ISSUE: Always uses constructed URI, which may not match the actual request resource, causing 401.
        // FIX: Derive from request URL to ensure sr matches the POST target.
        const requestUrl = pm.request && pm.request.url ? pm.request.url.toString() : '';
        const requestBase = requestUrl ? requestUrl.split('?')[0].replace(/\/$/, '').replace(/\/messages$/, '') : '';
        const uri = requestBase || `https://${namespace}/${entityPath}`;
        console.log(`[DEBUG] Constructed URI: ${uri}`);
        // Generate SAS token
        const encoded = encodeURIComponent(uri);
        console.log(`[DEBUG] Encoded URI: ${encoded}`);
        const expiry = Math.floor(Date.now() / 1000) + ttl + 300; // Buffer for clock skew
        console.log(`[DEBUG] Expiry timestamp: ${expiry}`);
        const stringToSign = encoded + '\n' + expiry;
        console.log(`[DEBUG] String to sign (raw): "${stringToSign}"`); // Verify \n
        console.log(`[DEBUG] String to sign (split): [${stringToSign.split('\n')}]`); // Confirm split
        // --- MINIMAL CHANGE: DO NOT base64-decode the key before HMAC ---
        // ISSUE: Parsing the key as UTF-8 decodes it, but Azure requires the raw base64 string for HMAC.
        // FIX: Use saKey directly (raw base64 string) as the HMAC key.
        // const parsedKey = CryptoJS.enc.Utf8.parse(saKey);
        // Compute HMAC-SHA256
        const hmac = CryptoJS.HmacSHA256(stringToSign, saKey);
        const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac);
        const encodedSignature = encodeURIComponent(hashInBase64);
        const token = `SharedAccessSignature sr=${encoded}&sig=${encodedSignature}&se=${expiry}&skn=${saName}`;
        console.log(`[DEBUG] Final SAS token: ${token}`);
        return token;
    } catch (error) {
        console.error(`[ERROR] SAS token generation failed: ${error.message}`);
        return null;
    }
}
// Example usage with your connection string
const connectionString = "Endpoint=sb://SERVICEBUS-NAME.servicebus.windows.net/;SharedAccessKeyName=SendAccessPolicy;SharedAccessKey=";
const entityPath = "testrun"; // Your queue or topic name
const sasToken = parseAndGenerateSasToken(connectionString, entityPath);
if (sasToken) {
    pm.environment.set("sasToken", sasToken);
    console.log("[DEBUG] SAS token set successfully");
} else {
    console.error("[ERROR] Failed to generate SAS token");
}
// Use in request: Authorization: {{sasToken}}

1 answer

Your answer

Rupesh Asati 865 Reputation points Microsoft External Staff Moderator

2025-09-18T14:25:01.89+00:00

Hello David Blaszyk

Thanks for reaching out on Microsoft Q&A and really appreciate your patience while we looked into this.

From your description, we are sorry to hear you're running into an issue, receiving a 401 SubCode=40103: Invalid authorization token signature error when attempting to use a Shared Access Signature (SAS) token for Azure Service Bus via Postman. This error indicates that the SAS token's signature is invalid or improperly formatted.

Steps to verify:

Incorrect String-to-Sign Construction: Ensure the string-to-sign is formatted correctly, including the correct newline characters and proper encoding. Any deviation can cause the signature to be invalid.

Improper URI Encoding: Special characters in the SAS token, such as +, /, and =, should be URL-encoded to prevent misinterpretation by browsers or HTTP clients. For instance, + should be encoded as %2B.

Mismatch Between SAS Key Name and Key: Verify that the SAS key name (sasKeyName) and the corresponding SAS key (sasKey) match the values configured in the Azure portal.

Incorrect Permissions: Ensure that the SAS token has the necessary permissions to perform the desired operation. For sending messages, the SAS token should have Send permissions.

Key Format Issues: Confirm that the SAS key is in the correct format. It should be a Base64-encoded string. Any formatting issues can lead to signature mismatches

Reference: https://free.blessedness.top/en-us/azure/service-bus-messaging/service-bus-sas

If issue still persists. Please help me with the following information:

The exact string-to-sign used.

The SAS token generated (excluding the actual key).

The permissions associated with the SAS token.

Any relevant logs or error messages.

I hope the provided answer is helpful, do let me know if you have any further questions on this.

Thanks
David Blaszyk 0 Reputation points

2025-09-19T15:12:38.0866667+00:00

Is this the corrected changes, something does not seem right with this:

// Compute HMAC-SHA256 const hmac = CryptoJS.HmacSHA256(stringToSign, parsedKey); const hashInBase64 = CryptoJS.enc.Base64.stringify(hmac); const encodedSignature = encodeURIComponent(hashInBase64); const token = `SharedAccessSignature sr=${encoded}&sig=${encodedSignature}&se=${expiry}&skn=${saName}`; console.log(`[DEBUG] Final SAS token: ${token}`);
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Rakesh Mishra 2,265 Reputation points Microsoft External Staff Moderator

2025-09-23T04:56:55.54+00:00

Hi David Blaszyk, I have reached out to you over private message. Could you please check and share the requested information.

Answer 1

Here is a complete solution that allows one to use Postman environment variables, put this in a Package library within Postman:

// acornsoft-unit-testing.js
// Custom Postman library for Acornsoft unit testing utilities
// Includes SAS token generation for Azure Service Bus

const CryptoJS = require('crypto-js');

/**
 * Parses an Azure Service Bus connection string into its components.
 * @param {string} connStr - The connection string
 * @returns {object} - { endpoint, keyName, keyValue }
 */
function parseConnectionString(connStr) {
    const parts = (connStr || '').split(';').filter(Boolean);
    const map = {};
    for (const p of parts) {
        const idx = p.indexOf('=');
        if (idx > -1) {
            const key = p.substring(0, idx);
            const val = p.substring(idx + 1); // Preserve '=' padding
            map[key] = val;
        }
    }
    return {
        endpoint: (map.Endpoint || '').trim(),
        keyName: (map.SharedAccessKeyName || '').trim(),
        keyValue: (map.SharedAccessKey || '').trim()
    };
}

/**
 * Derives the resource URI for SAS signing.
 * @param {string} requestUrl - The request URL
 * @param {string} namespace - Namespace
 * @param {string} entityPath - Entity path
 * @returns {string} - Resource URI
 */
function deriveResource(requestUrl, namespace, entityPath) {
    if (requestUrl) {
        const base = requestUrl.split('?')[0].replace(/\/$/, '').replace(/\/messages$/, '');
        if (base) return base;
    }
    return `https://${namespace}/${entityPath}`;
}

/**
 * Generates a Service Bus SAS token.
 * @param {string} resource - Resource URI
 * @param {string} keyName - Key name
 * @param {string} keyValue - Key value
 * @param {number} ttl - TTL
 * @returns {string} - SAS token
 */
function generateSasToken(resource, keyName, keyValue, ttl = Math.round(Date.now() / 1000) + 60 * 60 * 24 * 7) {
    const encodedResource = encodeURIComponent(resource);
    const stringToSign = `${encodedResource}\n${ttl}`;
    const sig = CryptoJS.HmacSHA256(stringToSign, keyValue).toString(CryptoJS.enc.Base64);
    return `SharedAccessSignature sr=${encodedResource}&sig=${encodeURIComponent(sig)}&se=${ttl}&skn=${keyName}`;
}

/**
 * Generates SAS from connection string.
 * @param {string} connStr - Connection string
 * @param {string} requestUrl - Request URL
 * @param {string} entityPath - Entity path
 * @param {number} ttl - TTL
 * @returns {string|null} - SAS token
 */
function generateFromConnectionString(connStr, requestUrl, entityPath, ttl) {
    const { endpoint, keyName, keyValue } = parseConnectionString(connStr);
    if (!endpoint || !keyName || !keyValue) return null;

    const namespace = endpoint.replace('sb://', '').replace(/\/$/, '');
    const resource = deriveResource(requestUrl, namespace, entityPath);
    if (!resource) return null;

    return generateSasToken(resource, keyName, keyValue, ttl);
}

/**
 * Sets up Postman variables and generates SAS token for Service Bus requests.
 * This function parses the connection string, sets serviceBusNamespace and entityPath variables,
 * and generates the SAS token using the request URL.
 * @param {string} connStr - Connection string
 * @param {string} entityPath - Entity path (optional, will be set as variable)
 * @param {number} ttl - TTL (optional)
 * @returns {string|null} - SAS token
 */
function setupAndGenerateSas(connStr, entityPath, ttl) {
    if (!connStr) return null;

    // Parse connection string
    const { endpoint, keyName, keyValue } = parseConnectionString(connStr);
    if (!endpoint || !keyName || !keyValue) return null;

    // Extract namespace
    const namespace = endpoint.replace('sb://', '').replace('.servicebus.windows.net/', '').replace(/\/$/, '');

    // Set variables for URL resolution
    pm.variables.set('serviceBusNamespace', namespace);
    if (entityPath) {
        pm.variables.set('entityPath', entityPath);
    }

    // Generate SAS using resolved request URL
    const requestUrl = resolvePostmanVariables(pm.request.url.toString());
    return generateFromConnectionString(connStr, requestUrl, entityPath || pm.variables.get('entityPath'), ttl);
}

/**
 * Resolves Postman variables in a URL string.
 * @param {string} url - URL with {{variables}}
 * @returns {string} - URL with variables resolved
 */
function resolvePostmanVariables(url) {
    return url.replace(/\{\{([^}]+)\}\}/g, (match, varName) => {
        const value = pm.variables.get(varName) || pm.environment.get(varName) || pm.globals.get(varName);
        return value || match; // Keep as-is if not found
    });
}

// Export functions
module.exports = {
    parseConnectionString,
    deriveResource,
    generateSasToken,
    generateFromConnectionString,
    setupAndGenerateSas,
    resolvePostmanVariables
};

To use in a request here is an example how to leverage this library, which requires you to define (2) variables in Postman:

serviceBusConnectionString = "
entityPath = "someTopic" (or) "someQueue"

Put this in the POST Request.


// Load the library
const someLib = pm.require('@acornsoft365/acornsoft-unit-testing');

// Get inputs from Postman variables
const connStr = pm.variables.get('serviceBusConnectionString');
const entityPath = pm.variables.get('entityPath');
const requestUrl = pm.request.url.toString();

// Generate SAS token
const sasToken = someLib.generateFromConnectionString(connStr, requestUrl, entityPath);

if (sasToken) {
    pm.environment.set('sasToken', sasToken);
    console.log('SAS token generated successfully');
} else {
    console.error('Failed to generate SAS token');
}

Share via

Issue Generating Valid SAS Token for Azure Service Bus Using Postman - Receiving 401 SubCode=40103 Error

1 answer

Your answer