🔑JWT & Auth

HMAC Request Signature

Securing API requests with a calculated HMAC-SHA256 signature.

Explanation

Signature verification ensures that a request hasn't been tampered with and comes from a trusted source.

Examples

Signature Shell
Output
X-Signature: 7f83b... (sha256 of body + secret)

Code Examples

Node.js 
const crypto = require('crypto');
const secret = 'your_shared_secret';
const body = JSON.stringify(requestBody);
const signature = crypto.createHmac('sha256', secret)
  .update(body)
  .digest('hex');

💡 Tips

  • Include a timestamp in the signature to prevent replay attacks
  • Sign both the method, URL, and body for maximum security
  • Use a constant-time comparison for verifying signatures

⚠️ Common Pitfalls

  • If the secret is leaked, anyone can sign requests
← Back to All Templates