0Pricing
Cryptology Academy · Lesson

HMAC in APIs: Request Signing

Implement HMAC-based request signing and replay-attack prevention.

Welcome

HMAC-based request signing is used by AWS, GitHub, Stripe, and Twilio to authenticate API calls. In this lesson we build a complete request signing system.

Why API Request Signing?

API keys in URLs can be logged in proxy servers, browser history, and server logs. Request signing includes the full request body in the MAC — ensuring the payload wasn't modified and the key isn't exposed alone.

All lessons in this course

  1. MAC Concepts & Length-Extension Attacks
  2. HMAC Construction & Security Proof
  3. HMAC in APIs: Request Signing
  4. CMAC & Poly1305: Block-Cipher MACs
← Back to Cryptology Academy