You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
Jean-Hugues de Raigniac 8d615eac2a
minor PEP 8 fixes, expired signature check (#26)
2 weeks ago
.github/workflows Allow missing created field (#23) 3 weeks ago
docs Add Sphinx docs for RTD 4 years ago
requests_http_signature minor PEP 8 fixes, expired signature check (#26) 2 weeks ago
test minor PEP 8 fixes, expired signature check (#26) 2 weeks ago
.gitignore Begin requests-http-signature 4 years ago
Changes.rst v0.2.0 9 months ago
LICENSE Begin requests-http-signature 4 years ago
Makefile Remove deprecated setuptools entrypoint of flake8 (#24) 3 weeks ago
README.rst Fix typo (#21) 9 months ago Use twine for uploading releases 9 months ago
setup.cfg Allow missing created field (#23) 3 weeks ago v0.2.0 9 months ago


requests-http-signature: A Requests auth module for HTTP Signature
**requests-http-signature** is a `Requests <>`_ `authentication plugin
<>`_ (``requests.auth.AuthBase`` subclass) implementing
the `IETF HTTP Signatures draft RFC <>`_. It has no
required dependencies outside the standard library. If you wish to use algorithms other than HMAC (namely, RSA and
ECDSA algorithms specified in the RFC), there is an optional dependency on
`cryptography <>`_.


$ pip install requests-http-signature


.. code-block:: python

import requests
from requests_http_signature import HTTPSignatureAuth

preshared_key_id = 'squirrel'
preshared_secret = 'monorail_cat'
url = ''

requests.get(url, auth=HTTPSignatureAuth(key=preshared_secret, key_id=preshared_key_id))

By default, only the ``Date`` header is signed (as per the RFC) for body-less requests such as GET. The ``Date`` header
is set if it is absent. In addition, for requests with bodies (such as POST), the ``Digest`` header is set to the SHA256
of the request body and signed (an example of this appears in the RFC). To add other headers to the signature, pass an
array of header names in the ``headers`` keyword argument.

In addition to signing messages in the client, the class method ``HTTPSignatureAuth.verify()`` can be used to verify
incoming requests:

.. code-block:: python

def key_resolver(key_id, algorithm):
return 'monorail_cat'

HTTPSignatureAuth.verify(request, key_resolver=key_resolver)

Asymmetric key algorithms (RSA and ECDSA)
For asymmetric key algorithms, you should supply the private key as the ``key`` parameter to the ``HTTPSignatureAuth()``
constructor as bytes in the PEM format:

.. code-block:: python

with open('key.pem', 'rb') as fh:
requests.get(url, auth=HTTPSignatureAuth(algorithm="rsa-sha256",, key_id=preshared_key_id))

When verifying, the ``key_resolver()`` callback should provide the public key as bytes in the PEM format as well.

* `IETF HTTP Signatures draft <>`_
* `Project home page (GitHub) <>`_
* `Documentation (Read the Docs) <>`_
* `Package distribution (PyPI) <>`_
* `Change log <>`_

Please report bugs, issues, feature requests, etc. on `GitHub <>`_.

Licensed under the terms of the `Apache License, Version 2.0 <>`_.

.. image::
.. image::
.. image::
.. image::
.. image::