3.1.1 2017-01-18 21:59 UTC


PHP implementation of HTTP Signatures draft specification; allowing cryptographic signing and verifying of PSR7 messages.

See also:


Add 99designs/http-signatures to your composer.json.

Configure a context with your algorithm, keys, headers to sign. This is best placed in an application startup file.

use HttpSignatures\Context;

$context = new Context([
  'keys' => ['examplekey' => 'secret-key-here'],
  'algorithm' => 'hmac-sha256',
  'headers' => ['(request-target)', 'Date', 'Accept'],

If there's only one key in the keys hash, that will be used for signing. Otherwise, specify one via 'signingKeyId' => 'examplekey'.


A message is assumed to be a PSR-7 compatible request or response object.

Signing a message


Now $message contains the signature headers:

// keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

// Signature keyId="examplekey",algorithm="hmac-sha256",headers="...",signature="..."

Verifying a signed message

$context->verifier()->isValid($message); // true or false

Symfony Integration

Also included is a HttpMessageFactory class for converting Symfony Request objects into PSR-7 compatible messages.

$symfonyRequest = \Symfony\Component\HttpFoundation\Request::create('/foo');
$psr7Factory = new \HttpSignatures\HttpMessageFactory();
$psrRequest = $psr7Factory->createRequest($symfonyRequest);


Pull Requests are welcome.


HTTP Signatures is licensed under The MIT License (MIT).