PHPackages corgspace/hmac-http-client - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. [HTTP & Networking](/categories/http) 4. / 5. corgspace/hmac-http-client ActiveLibrary[HTTP & Networking](/categories/http) corgspace/hmac-http-client ========================== HMAC-signed HTTP client middleware for Laravel server-to-server APIs v0.1.0(1mo ago)03MITPHPPHP ^8.2CI passing Since Apr 18Pushed 1mo agoCompare [ Source](https://github.com/CorgSpace/hmac-http-client)[ Packagist](https://packagist.org/packages/corgspace/hmac-http-client)[ Docs](https://github.com/CorgSpace/hmac-http-client)[ RSS](/packages/corgspace-hmac-http-client/feed)WikiDiscussions main Synced 1w ago READMEChangelog (1)Dependencies (10)Versions (2)Used By (0) hmac-http-client ================ [](#hmac-http-client) [![Latest Version on Packagist](https://camo.githubusercontent.com/47a041a6154749151019d1b1bba0b171b3463932124e851664746218921fa38b/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f636f726773706163652f686d61632d687474702d636c69656e742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/corgspace/hmac-http-client)[![Tests](https://camo.githubusercontent.com/5c25ea7720b70713a185fdc8712ce1b5da338f3336b1481bf250504483880d94/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f616374696f6e732f776f726b666c6f772f7374617475732f436f726753706163652f686d61632d687474702d636c69656e742f74657374732e796d6c3f6272616e63683d6d61696e266c6162656c3d7465737473267374796c653d666c61742d737175617265)](https://github.com/CorgSpace/hmac-http-client/actions/workflows/tests.yml)[![Total Downloads](https://camo.githubusercontent.com/eb7920368e40cd40025134c4256b25db84f2f6a4aa474222809de7b8a347bf7c/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f636f726773706163652f686d61632d687474702d636c69656e742e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/corgspace/hmac-http-client) Laravel package that adds HMAC-signed HTTP requests to the built-in HTTP client via an `Http::hmac('service_name')` macro. Each outgoing request gets `X-Key-Id`, `X-Timestamp`, `X-Nonce`, and `X-Signature` headers added automatically; the caller supplies `X-Idempotency-Key` and the body. Install ------- [](#install) ``` composer require corgspace/hmac-http-client php artisan vendor:publish --tag=hmac-http-client-config ``` Configure --------- [](#configure) Add a service to `config/hmac-http-client.php`: ``` 'services' => [ 'example_api' => [ 'base_url' => env('EXAMPLE_API_URL'), 'key_id' => env('EXAMPLE_API_KEY_ID'), 'secret' => env('EXAMPLE_API_SECRET'), 'secret_encoding' => env('EXAMPLE_API_SECRET_ENCODING', 'base64'), ], ], ``` `.env`: ``` EXAMPLE_API_URL=https://api.example.com EXAMPLE_API_KEY_ID=my-app-prod EXAMPLE_API_SECRET= ``` `secret_encoding` is `base64` (default), `hex`, or `raw`. Decoded secret must be at least 32 bytes. Use --- [](#use) ``` use Illuminate\Support\Facades\Http; $response = Http::hmac('example_api') ->withHeaders(['X-Idempotency-Key' => $operationId]) ->post('/v1/resource', [ 'external_ref' => $externalId, 'source' => 'direct', ]); if ($response->successful()) { $data = $response->json(); } ``` The macro returns a `PendingRequest` with `acceptJson()->asJson()` already applied. Chain any normal HTTP client method after `Http::hmac(...)`. **The caller must set `X-Idempotency-Key`.** It is part of the signed canonical and should be meaningful to the upstream (a webhook event ID, a logical operation ID, etc.). For read-only calls with no natural key, generate a fresh UUID per call. Retries ------- [](#retries) Laravel's built-in retry re-signs on every attempt — fresh nonce and timestamp, same idempotency key: ``` Http::hmac('example_api') ->withHeaders(['X-Idempotency-Key' => $operationId]) ->retry(3, 100) ->post('/v1/resource', $payload); ``` Canonical string format ----------------------- [](#canonical-string-format) For implementers of the verifier side, or anyone debugging a signature mismatch: ``` {METHOD}\n{REQUEST_TARGET}\n{TIMESTAMP}\n{NONCE}\n{IDEMPOTENCY_KEY}\n{hex(sha256(BODY))} ``` - No trailing newline. Separators are single `\n` (0x0A), never `\r\n`. - `METHOD` uppercased. - `REQUEST_TARGET` is the full request target as it appears on the wire — path plus query string, in the exact order the client sends it. Matches PSR-7's `RequestInterface::getRequestTarget()`. Examples: `/v1/users`, `/v1/search?q=widget&sort=asc`. Empty targets are normalized to `/` by PSR-7. - `BODY` is the raw request body bytes. Empty body hashes to `e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855`. - Signature is `base64(hmac_sha256(canonical, secret_bytes))`. Verifier must read the request target from the same source (e.g. the raw request line) and apply the same method-case rules. Any reordering or reformatting of query parameters on either side will invalidate the signature. Testing ------- [](#testing) ``` composer test # phpunit composer analyse # phpstan (level max, larastan) composer format-test # pint --test ``` `composer format` applies pint fixes in place. Changelog --------- [](#changelog) See [CHANGELOG](CHANGELOG.md) for a list of recent changes. Contributing ------------ [](#contributing) Contributions are welcome. Please open an issue or pull request at [github.com/CorgSpace/hmac-http-client](https://github.com/CorgSpace/hmac-http-client). Run `composer test`, `composer analyse`, and `composer format-test` before submitting. Security -------- [](#security) If you discover a security vulnerability, please report it privately via GitHub's [private vulnerability reporting](https://github.com/CorgSpace/hmac-http-client/security/advisories/new) rather than opening a public issue. See [SECURITY.md](SECURITY.md) for details. License ------- [](#license) MIT — see [LICENSE](LICENSE). ### Health Score 35 — LowBetter than 77% of packages Maintenance89 Actively maintained with recent releases Popularity3 Limited adoption so far Community8 Small or concentrated contributor base Maturity36 Early-stage or recently created project Bus Factor1 Top contributor holds 66.7% of commits — single point of failure How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Unknown Total 1 Last Release 53d ago ### Community Maintainers ![](https://www.gravatar.com/avatar/6f59a30a316b6e7f20e8d4a86857942ac1d43d01f9bc77c5b5e1847d45d32ee3?d=identicon)[ohiader](/maintainers/ohiader) --- Top Contributors [![ohiader](https://avatars.githubusercontent.com/u/21202712?v=4)](https://github.com/ohiader "ohiader (2 commits)")[![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?v=4)](https://github.com/dependabot[bot] "dependabot[bot] (1 commits)") --- Tags guzzlehmachttp-clientlaravelmiddlewarephpmiddlewareapilaravelhttp clientGuzzlesigninghmac ### Code Quality TestsPHPUnit Static AnalysisPHPStan Code StyleLaravel Pint ### Embed Badge ![Health badge](/badges/corgspace-hmac-http-client/health.svg) ``` [![Health](https://phpackages.com/badges/corgspace-hmac-http-client/health.svg)](https://phpackages.com/packages/corgspace-hmac-http-client) ``` ### Alternatives [aws/aws-sdk-php AWS SDK for PHP - Use Amazon Web Services in your PHP project 6.3k532.1M2.5k](/packages/aws-aws-sdk-php)[tempest/framework The PHP framework that gets out of your way. 2.2k31.1k11](/packages/tempest-framework)[spatie/laravel-export Create a static site bundle from a Laravel app 670139.5k6](/packages/spatie-laravel-export)[psalm/plugin-laravel Psalm plugin for Laravel 3325.1M337](/packages/psalm-plugin-laravel)[api-platform/laravel API Platform support for Laravel 59156.3k10](/packages/api-platform-laravel)[onlime/laravel-http-client-global-logger A global logger for the Laravel HTTP Client 2037.5k](/packages/onlime-laravel-http-client-global-logger) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)