Postman Collection

Testing tools for the signed CRUD and validation APIs.

Collection folders
GET {{ baseUrl }}/api/categories?application_id={{ applicationId }}&per_page=15 Categories folder
GET {{ baseUrl }}/api/tags?application_id={{ applicationId }}&per_page=15 Tags folder
GET {{ baseUrl }}/api/authors?application_id={{ applicationId }}&per_page=15 Authors folder
GET {{ baseUrl }}/api/series?application_id={{ applicationId }}&per_page=15 Series folder
POST {{ baseUrl }}/api/tags Error examples folder

Setup & Configuration

Signed API rule: one application maps to one language. Do not switch locales manually in Postman; the server remaps translatable payloads to the authenticated application's language.
Environment Variables

  • baseUrl / base_url
    Central Blogs base URL for signed API requests
  • applicationId / application_id
    Tenant application ID used in CRUD requests
  • applicationKey / application_key
    Real application key copied from the tenant configuration
  • secretKey / secret_key
    Local Postman helper value used to compute X-Signature
  • timestamp / signature
    Generated automatically for each signed request
  • requestId / runId
    Unique request helper for sample payloads and slugs
Headers & Authentication

Required signed headers:
X-Application-Key / X-Timestamp / X-Signature
Optional Postman helper:
secretKey / secret_key
Content type:
application/json
Test Scripts Included
  • Automatic HMAC signature generation for signed requests
  • JWT structure validation and claims verification
  • Automated response status checks
  • Error response validation
Tip: Use modern snake_case SEO fields in your main requests: meta_title, meta_description, min_description. Legacy hyphenated aliases are still accepted for backward compatibility.

Full collection map

Signed API model
  • Creates runId once per collection run so names, slugs, and emails stay unique.
  • Reads applicationKey and secretKey from Postman variables.
  • Builds the payload as METHOD, path, timestamp, and raw body.
  • Computes X-Signature with HMAC-SHA256 and injects X-Timestamp and X-Signature automatically.
Environment variables
baseUrl / base_url
Central Blogs base URL for signed API requests
applicationId / application_id
Tenant application ID used in CRUD requests
applicationKey / application_key
Real application key copied from the tenant configuration
secretKey / secret_key
Local Postman helper value used to compute X-Signature
timestamp / signature
Generated automatically for each signed request
requestId / runId
Unique request helper for sample payloads and slugs
seriesId
Stores the created series id for later requests
seriesBlogId1 / seriesBlogId2 / seriesBlogId3
Blog ids used in the series samples
otherApplicationBlogId
Cross-application blog fixture for the rejection example
Categories

CRUD requests plus the legacy SEO alias example.

5 requests
GET
List Categories
@{{ baseUrl }}/api/categories?application_id=@{{ applicationId }}&per_page=15
POST
Create Category
@{{ baseUrl }}/api/categories
PUT
Update Category
@{{ baseUrl }}/api/categories/@{{ categoryId }}
DELETE
Delete Category
@{{ baseUrl }}/api/categories/@{{ categoryId }}
POST
Create Category - Legacy SEO Keys
@{{ baseUrl }}/api/categories
Backward compatibility example using hyphenated SEO aliases.
Tags

CRUD requests plus the legacy SEO alias example.

5 requests
GET
List Tags
@{{ baseUrl }}/api/tags?application_id=@{{ applicationId }}&per_page=15
POST
Create Tag
@{{ baseUrl }}/api/tags
PUT
Update Tag
@{{ baseUrl }}/api/tags/@{{ tagId }}
DELETE
Delete Tag
@{{ baseUrl }}/api/tags/@{{ tagId }}
POST
Create Tag - Legacy SEO Keys
@{{ baseUrl }}/api/tags
Backward compatibility example using hyphenated SEO aliases.
Authors

List, create, show, update, and delete author requests.

5 requests
GET
List Authors
@{{ baseUrl }}/api/authors?application_id=@{{ applicationId }}&per_page=15
POST
Create Author
@{{ baseUrl }}/api/authors
GET
Show Author
@{{ baseUrl }}/api/authors/@{{ authorId }}
PUT
Update Author
@{{ baseUrl }}/api/authors/@{{ authorId }}
DELETE
Delete Author
@{{ baseUrl }}/api/authors/@{{ authorId }}
Series

Series lifecycle plus duplicate and cross-application validation cases.

8 requests
GET
List Series
@{{ baseUrl }}/api/series?application_id=@{{ applicationId }}&per_page=15
POST
Create Series
@{{ baseUrl }}/api/series
GET
Show Series
@{{ baseUrl }}/api/series/@{{ seriesId }}?application_id=@{{ applicationId }}
PUT
Update Series
@{{ baseUrl }}/api/series/@{{ seriesId }}
DELETE
Delete Series
@{{ baseUrl }}/api/series/@{{ seriesId }}?application_id=@{{ applicationId }}
POST
Create Series - Duplicate Blog Validation
@{{ baseUrl }}/api/series
The same blog cannot appear twice in one Series payload.
POST
Create Series - Duplicate Sort Order Validation
@{{ baseUrl }}/api/series
Series items must have unique sort_order values within one Series.
POST
Create Series - Cross Application Blog Rejected
@{{ baseUrl }}/api/series
A Series item must reference a blog from the authenticated application only.
Error Examples

Validation, forbidden, not found, and invalid signature examples.

4 requests
POST
Validation Error 422
@{{ baseUrl }}/api/tags
Sends an invalid payload so the API returns a validation error.
POST
Forbidden Application Mismatch 403
@{{ baseUrl }}/api/categories
Uses a valid signature with a different application_id.
GET
Resource Not Found 404
@{{ baseUrl }}/api/tags/999999
Targets a non-existent resource id with a valid signature.
GET
Invalid Signature 401
@{{ baseUrl }}/api/blogs?application_id=@{{ applicationId }}
Disables the helper secret and keeps a bad signature header.