guardian / hmac-headers

Scala utility for signing and verifying HMAC signatures passed in HTTP headers
Apache License 2.0
9 stars 2 forks source link


hmac-headers is a Scala utility for signing and verifying HMAC signatures passed in a header in a HTTP request. Given a secret key shared between the client and the server, hmac-headers can do the following:


In your build.sbt:

libraryDependencies += "" %% "hmac-headers" % "<version>" // find the latest version by checking this repo's tags


Testing locally

You can publish locally by running:

# Test your signing setup works (you may need to follow the guide below first)
sbt +publishLocalSigned

# Publish locally so that other projects can use your local ivy repository
sbt +publishLocal

Get access to publish

You will need to have access to publish to Maven Central for assets. You can follow this guide to get access.

Update the version

When you are ready to release, ensure that version.sbt is updated and committed in the default branch (main) with an appropriate version bump following semver.

Tag and release

This will create & push the appropriate version tag for you:

sbt release

Verifying requests


val authorization = // extract HMAC from header
val date = // extract date from header
val uri = new URI(request.uri) // extract the URI from the request

hmacService.validateHMACHeaders(date, authorization, uri)) // returns a Boolean

Signing requests


val hmacHeaders = hmac.createHMACHeaderValues(new URI(""))
// Add headers to your request as appropriate, e.g. in Play
  .withHeaders(HeaderNames.DATE ->, HeaderNames.AUTHORIZATION -> hmacHeaders.token)