HTTP Signature Debugger & Verifier

Use this tool to decode or generate HTTP Signatures for secure API requests.

Paste your HTTP Signature below to decode and verify it.

Or, create a new one by editing the fields and providing a secret.

---

Private and Secure: Fully client-side — nothing leaves your browser !

---

note

With HTTP Signature Authentication, the sender chooses which headers to sign, e.g:

headers="(request-target) date digest"

Those header values from the HTTP request become the signing string:

(request-target): get /api/data
date: Tue, 12 Mar 2024 18:30:00 GMT
digest: sha-256=47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=

The receiver must extract the same headers from the HTTP Request and rebuild the string-to-sign in order to verify the signature.

Since this page doesn’t accept HTTP requests, the values must be manually input.

This tool assumes you always want to set the digest header.

---

Try it Out!

Example Inputs

method          : POST
path            : /tedi/sqlintest/admin/reload
date            : Sun, 20 Apr 2025 03:02:55 GMT
digest          : sha-256=I3Xi+Yq9OwkHopQFCtdg8bjiBtJr7W2GVEsXJgaL/Wk=
headers-to-sign : (request-target) date digest
key-id          : tedi-20201211
hmac-secret     : supersecret123
body            : {"message" : "Hello HTTP Signature!"}
Authorization   : Signature keyId="tedi-20201211",algorithm="hmac-sha256",headers="(request-target) date digest",signature="9MPjOlvtnTi0l5OB3aoHUjHO1z7AdfhVak5HtTXWffY="

---

Create Signature
HTTP Method GET POST PUT DELETE PATCH HEAD HTTP Path Date (optional) Digest Header (optional) HTTP host (optional) Body (optional) Append newline before hashing body `	Headers to Sign Key ID Algorithm hmac-sha256 rsa-sha256 Secret (for HMAC) Private Key (for RSA) Public Key (for verification)
Generated Signature (Authorization Header) Signing String
Verify Signature Paste Authorization Header