HMAC-SHA authentication

v5.1.2 2015-04-30 07:51 UTC

This package is not auto-updated.

Last update: 2022-11-26 07:03:43 UTC


A PHP 5.4+ port of the Signature ruby gem

Build Status Code Coverage Scrutinizer Code Quality


Add philipbrown/signature-php as a requirement to composer.json:

$ composer require philipbrown/signature-php

What is HMAC-SHA authentication?

HMAC-SHA authentication allows you to implement very simple key / secret authentication for your API using hashed signatures.

Making a request

use PhilipBrown\Signature\Token;
use PhilipBrown\Signature\Request;

$data    = ['name' => 'Philip Brown'];
$token   = new Token('abc123', 'qwerty');
$request = new Request('POST', 'users', $data);

$auth = $request->sign($token);

$http->post('users', array_merge($auth, $data));

Authenticating a response

use PhilipBrown\Signature\Auth;
use PhilipBrown\Signature\Token;
use PhilipBrown\Signature\Guards\CheckKey;
use PhilipBrown\Signature\Guards\CheckVersion;
use PhilipBrown\Signature\Guards\CheckTimestamp;
use PhilipBrown\Signature\Guards\CheckSignature;
use PhilipBrown\Signature\Exceptions\SignatureException;

$auth  = new Auth('POST', 'users', $_POST, [
	new CheckKey,
	new CheckVersion,
	new CheckTimestamp,
	new CheckSignature

$token = new Token('abc123', 'qwerty');

try {

catch (SignatureException $e) {
    // return 4xx

Changing the default HTTP request prefix

By default, this package uses auth_* in requests. You can change this behaviour when signing and and authenticating requests:

// default, the HTTP request uses auth_version, auth_key, auth_timestamp and auth_signature
// the HTTP request now uses x-version, x-key, x-timestamp and x-signature
$request->sign($token, 'x-');

If you changed the default, you will need to authenticate the request accordingly:

$auth->attempt($token, 'x-');