Sign a Payload with HMAC

The REST_API license is required to create and use keys without policy.

HMAC (Hash-based Message Authentication Code) is a mechanism that uses a cryptographic hash function and a secret cryptographic key to verify both the data integrity and the authenticity of a message. HMAC can be used with any iterative cryptographic hash function, such as SHA-256, in combination with a secret shared key.

Create HMAC Key

POST: /v1/key

Description: Create key request.

Replace <keyname> as needed. The password is optional and can be deleted completely.

{
    "label": "<keyname>",
    "password": null,
    "algorithm": "HMACSHA256",
    "attributes": {
        "sign": true,
        "extractable": false,
        "modifiable": false,
        "destroyable": false,
        "sensitive": true,
        "decrypt": false,
        "unwrap": false
    }
}

Sign a Payload

POST: /v1/synchronousHmac

Description: Contains a sign request without metadata.

hmacRequest.payload = the data to be signed. It must be Base64-encoded.
hmacRequest.keyName = the key to be used for signing.

Replace <keyname> with the name of your key.

{
    "hmacRequest": {
        "keyName": "<keyname>",
        "payload": "YXNk"
    }
}

Response

{
  "keyedHash": "D8xCI255hjQf+x4cfO3l97WC8K+Lg+ARiXHMkvGAGOU="
}

Verify HMAC Signature

POST: /v1/verify

Description Verify the HMAC signature of a payload.

Replace hmac from the previous response and set the initial payload.

{
  "verifyHmacRequest": {
    "keyName": "<keyname>",
    "payload": "YXNk",
    "signature": "D8xCI255hjQf+x4cfO3l97WC8K+Lg+ARiXHMkvGAGOU="
  }
}

Response

{
  "signatureValid": true
}

This documentation provides step-by-step instructions for creating an HMAC key, signing a payload using the HMAC key, and verifying the HMAC signature using REST API endpoints.

Create HMAC Key​

Sign a Payload​

Verify HMAC Signature​

Create HMAC Key

Sign a Payload

Verify HMAC Signature