When  using the DocumentDB REST API one of the required parameters is the Authorization Token.

The token format is <span></span>type={typeoftoken}&ver={tokenversion}&sig={hashsignature}

The required values are

  • typeoftoken – denotes the type of token: master or resource.
  • tokenversion – denotes the version of the token, currently 1.0
  • hashsignature –  denotes the hashed token signature.

An example would look like this:  <span></span>type=master&ver=1.0&sig=5mDuQBYA0kb70WDJoTUzSBMTG3owkC0/cEN4fqa18/s=

In order to create the Authorization Token, you need to construct the Hash Signature.

Creating an Authorization Token to be used in a Logic App

To generate the Authorization Token so it can be used in an Azure Logic App, you will need to create a API App Controller.

The following source code is an example of a Controller.

    public class AuthorizationController : ApiController
        private static readonly string UtcDate = DateTime.UtcNow.ToString("r");

        /// <summary>
        ///     Gets the authorization token for a DcoumentDB REST API method.
        /// </summary>
        /// <param name="verb">GET, POST, etc.</param>
        /// <param name="resourceId">The ResourceId portion of the string is the identity property of the resource that the request is directed at</param>
        /// <param name="resourceType">The ResourceType portion of the string identifies the type of resource that the request is for, Eg. "dbs", "colls", "docs"</param>
        /// <param name="key"></param>
        /// <param name="keyType"></param>
        /// <param name="tokenVersion">1.0</param>
        /// <returns>URI Encoded string</returns>
        [Metadata("GenerateAuthToken", "Gets the authorization token for a DcoumentDB REST API method.")]
        [SwaggerResponse(HttpStatusCode.OK, type: typeof (string))]
        [SwaggerResponse(HttpStatusCode.InternalServerError, "Internal Server Operation Error")]
        public string GenerateAuthToken(
            [Metadata("verb", "GET, POST, etc.")] string verb,
                "Contains the relative path of the resource, as derived using the URI format. E.g. 'dbs/MyDatabase/colls/MyCollection/docs/MyDocument'"
                )] string resourceId,
                "Identifies the type of resource that the request is for, Eg. 'dbs', 'colls', 'docs'")] string
            [Metadata("key", "DocumentDB Account Primary key")] string key,
            [Metadata("keyType", "master")] string keyType,
            [Metadata("tokenVersion", "1.0")] string tokenVersion)
            const string authorizationFormat = "type={0}&ver={1}&sig={2}";

            var hmacSha256 = new HMACSHA256 {Key = Convert.FromBase64String(key)};

            if (verb == null) return null;
            if (resourceType == null) return null;
            var payLoad = string.Format(InvariantCulture,

            var hashPayLoad = hmacSha256.ComputeHash(Encoding.UTF8.GetBytes(payLoad));
            var signature = Convert.ToBase64String(hashPayLoad);

                HttpUtility.UrlEncode(str: string.Format(InvariantCulture,

In addition to the authorization token, you will need to create the x-ms-date header parameter.

The x-ms-date value is in the UTC (Coordinated Universal Time) format. An example is Mon, 26 Mar 2007 04:17:04 GMT

The following code can be added to the AuthorizationController.  This will return the current UTC Time value.

        /// <summary>
        /// Gets the current UTC Date value
        /// </summary>
        /// <returns></returns>
        [Metadata("GetUtcDate", "Gets the current UTC Date value.")]
        [SwaggerResponse(HttpStatusCode.OK, type: typeof (string))]
        [SwaggerResponse(HttpStatusCode.InternalServerError, "Internal Server Operation Error")]
        public string GetUtcDate()
            return DateTime.UtcNow.ToString("r");


  • The GenerateAuthToken operation will generate a valid Authorization Token
  • The x-ms-date value is required and can be generated using the GetUtcDate operation
  • Both of the operations can be called from a Logic App
  • The code can also be used in any client application.