4.0.0 2017-05-04 01:36 UTC


PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.

See also:


Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context([
  'keys' => ['examplekey' => 'secret-key-here'],
  'algorithm' => 'hmac-sha256',
  'headers' => ['(request-target)', 'Date', 'Accept'],

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.


A message is assumed to be a PSR-7 compatible request or response object.

Signing a message


Now $message contains the signature headers:

// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context->verifier()->isValid($message); // true or false

Symfony compatibility

Symfony requests normalize query strings which means the resulting request target can be incorrect. See https://github.com/symfony/psr-http-message-bridge/pull/30

When creating PSR-7 requests you use withRequestTarget to ensure the request target is correct. For example

use Symfony\Bridge\PsrHttpMessage\Factory\HttpFoundationFactory;
use Symfony\Component\HttpFoundation\Request;

$symfonyRequest = Request::create('/foo?b=1&a=2');
$psrRequest = (new HttpFoundationFactory())


Pull Requests are welcome.


HTTP Signatures is licensed under The MIT License (MIT).