First things I want to say our mechanism works for "GET" calls, where we are not submitting data, however on making a POST call using the same hashing routine we have developed, and using the following signature data

(request-target): post /v1/cases 

host: rms-world-check-one-api-pilot.thomsonreuters.com 

date: Wed, 28 Sep 2016 14:26:28 GMT 

content-type: application/json 

content-length: 191

We are not able to authenticate successfully. All we have done is adapted the routine to add the current content type and content length of the request to the hash computation, so the existing working computation should work fine. We have verified that the content type header matches what is submitted (it does) and the content-length header matches what is in the signature and also matches the size of the request body (191 bytes) the API call is posting the correct JSON.

Here are the HTTP headers in question

Request: 

POST /cases 

cache-control: no-cache 

content-type: application/json 

content-length: 191 

authorization: Signature keyId="{key}",algorithm="hmac-sha256",headers="(request-target) host date content-type content-length",signature="{signature}" 

date: Wed, 28 Sep 2016 14:26:28 GMT 

Accept: application/json

Any ideas?