PHPackages ipedis/http-signature - PHPackages - PHPackages [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register) 1. [Directory](/) 2. / 3. ipedis/http-signature ActiveLibrary ipedis/http-signature ===================== Library to generate http signature 3.0.0(3mo ago)07↑2471.4%1PHPPHP >=8.4.0CI passing Since Jun 5Pushed 1mo agoCompare [ Source](https://github.com/ipedis/http-signature)[ Packagist](https://packagist.org/packages/ipedis/http-signature)[ RSS](/packages/ipedis-http-signature/feed)WikiDiscussions master Synced 1mo ago READMEChangelogDependencies (4)Versions (10)Used By (1) HTTP Signature ============== [](#http-signature) [![CI](https://github.com/ipedis/http-signature/actions/workflows/ci.yml/badge.svg)](https://github.com/ipedis/http-signature/actions/workflows/ci.yml)[![Latest Version on Packagist](https://camo.githubusercontent.com/076c4c38d4c9df3d7a442e157ddb309c33290fd05250e9a7a924f5a5a48467b9/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6970656469732f687474702d7369676e61747572652e737667)](https://packagist.org/packages/ipedis/http-signature)[![PHP Version](https://camo.githubusercontent.com/b97b049e80d0248f08a864e393803be14f91d74c0ed7f4f7a14064069375ebc7/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f6970656469732f687474702d7369676e61747572652e737667)](https://packagist.org/packages/ipedis/http-signature)[![License](https://camo.githubusercontent.com/d3bc3da0cdf03cffb543d135c96b652890b8a1d8702569128d850cd2753e3f8f/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f6970656469732f687474702d7369676e61747572652e737667)](https://packagist.org/packages/ipedis/http-signature) HMAC-SHA256 HTTP request signing and verification library for PHP. Signs outgoing PSR-7 requests and verifies incoming ones using a shared secret key, with built-in replay attack protection (60-second window). Installation ------------ [](#installation) ``` composer require ipedis/http-signature ``` Quick Start ----------- [](#quick-start) ### Sign outgoing requests (Guzzle middleware) [](#sign-outgoing-requests-guzzle-middleware) ``` use Ipedis\HttpSignature\HttpClient\HttpClient; class MyApiClient { use HttpClient; protected function getSignatureKey(): string { return 'your-shared-secret-key'; } } $client = new MyApiClient(); $response = $client->getClient()->post('https://api.example.com/webhook', [ 'json' => ['event' => 'user.created'], ]); // PS-Signature and PS-Timestamp headers are added automatically ``` ### Verify incoming requests [](#verify-incoming-requests) ``` use Ipedis\HttpSignature\Signature\Verifier; use Symfony\Component\HttpFoundation\Request; class WebhookController { use Verifier; protected function getSignatureKey(): string { return 'your-shared-secret-key'; } public function handle(Request $request): void { if (!$this->verify($request)) { throw new \RuntimeException('Invalid signature'); } // Request is authentic and recent (< 60 seconds) } } ``` Framework Integration --------------------- [](#framework-integration) The library provides injectable services as an alternative to traits, following each framework's dependency injection conventions. ### Symfony [](#symfony) The `SignedHttpClient` is a decorator that wraps any Symfony `HttpClientInterface` and automatically signs every outgoing request. **Register the services:** ``` # config/services.yaml services: Ipedis\HttpSignature\HttpClient\SignedHttpClient: arguments: $client: '@http_client' $signatureKey: '%env(HTTP_SIGNATURE_KEY)%' Ipedis\HttpSignature\Signature\SignatureVerifier: arguments: $signatureKey: '%env(HTTP_SIGNATURE_KEY)%' ``` **Sign outgoing requests:** ``` use Ipedis\HttpSignature\HttpClient\SignedHttpClient; class WebhookDispatcher { public function __construct(private SignedHttpClient $client) {} public function dispatch(string $url, array $payload): void { $this->client->request('POST', $url, [ 'json' => $payload, ]); // PS-Signature and PS-Timestamp headers are added automatically } } ``` **Verify incoming requests:** ``` use Ipedis\HttpSignature\Signature\SignatureVerifier; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\JsonResponse; class WebhookController { public function __construct(private SignatureVerifier $verifier) {} public function __invoke(Request $request): JsonResponse { if (!$this->verifier->verify($request)) { return new JsonResponse(['error' => 'Invalid signature'], 403); } // Process webhook... return new JsonResponse(['status' => 'ok']); } } ``` ### Laravel [](#laravel) The library ships with a service provider that auto-registers `SignedClientFactory` and `SignatureVerifier` as singletons. **Step 1 — Add your signature key to config:** ``` // config/services.php return [ // ... 'http_signature' => [ 'key' => env('HTTP_SIGNATURE_KEY'), ], ]; ``` **Step 2 — Register the service provider** (auto-discovered if using Laravel package discovery): ``` // bootstrap/providers.php (Laravel 11+) return [ // ... Ipedis\HttpSignature\Laravel\HttpSignatureServiceProvider::class, ]; ``` Or in `config/app.php` for older versions: ``` 'providers' => [ // ... Ipedis\HttpSignature\Laravel\HttpSignatureServiceProvider::class, ], ``` **Sign outgoing requests:** ``` use Ipedis\HttpSignature\HttpClient\SignedClientFactory; class WebhookDispatcher { public function __construct(private SignedClientFactory $factory) {} public function dispatch(string $url, array $payload): void { $client = $this->factory->create(); $client->post($url, [ 'json' => $payload, ]); // PS-Signature and PS-Timestamp headers are added automatically } } ``` **Verify incoming requests:** ``` use Ipedis\HttpSignature\Signature\SignatureVerifier; use Illuminate\Http\Request; use Illuminate\Http\JsonResponse; class WebhookController { public function __construct(private SignatureVerifier $verifier) {} public function __invoke(Request $request): JsonResponse { if (!$this->verifier->verify($request)) { return response()->json(['error' => 'Invalid signature'], 403); } // Process webhook... return response()->json(['status' => 'ok']); } } ``` How It Works ------------ [](#how-it-works) 1. A **signing string** is built: `METHOD.URL.TIMESTAMP.BODY` 2. An HMAC-SHA256 hash is computed using the shared secret 3. Two headers are added to the request: - `PS-Timestamp` — Unix timestamp - `PS-Signature` — 64-char hex HMAC hash 4. On verification, the signature is recomputed and compared using constant-time `hash_equals()` 5. Requests older than **60 seconds** are rejected (replay protection) API --- [](#api) ### Services (recommended) [](#services-recommended) ClassPurpose`HttpClient\SignedHttpClient`Symfony `HttpClientInterface` decorator, auto-signs requests`HttpClient\SignedClientFactory`Factory creating Guzzle clients with signing middleware`Signature\SignatureVerifier`Verifies incoming request signatures (PSR-7 and Symfony)`Laravel\HttpSignatureServiceProvider`Laravel service provider for container registration### Traits (legacy) [](#traits-legacy) TraitPurpose`Signature\Signer`Adds `sign(RequestInterface): RequestInterface``Signature\Verifier`Adds `verify(Request|RequestInterface): bool``HttpClient\HttpClient`Guzzle middleware, auto-signs every requestAll traits require implementing `getSignatureKey(): string`. ### Core [](#core) ClassPurpose`Signature\Signature`HMAC-SHA256 hash generator and comparator`Signature\SigningString`Builds the `METHOD.URL.TIMESTAMP.BODY` stringCompatibility ------------- [](#compatibility) PHPStatus8.2✅8.3✅8.4✅8.5✅SymfonyStatus6.4✅7.x✅8.x✅LaravelStatus10.x✅11.x✅12.x✅13.x✅Local Development ----------------- [](#local-development) Requires [Docker](https://www.docker.com/). ``` make up # Start container make install # Install dependencies make qa # Run full QA suite (rector + pint + phpstan + tests) ``` Available targets: CommandDescription`make up`Start container`make down`Stop container`make install`Install Composer dependencies`make update`Update Composer dependencies`make test`Run PHPUnit tests`make phpstan`Run static analysis (level max)`make pint`Fix code style (PSR-12)`make rector`Run automated refactoring`make qa`Run all checks`make shell`Open container shellDisclaimer ---------- [](#disclaimer) This package is maintained by [Ipedis](https://www.ipedis.com). It is provided as-is under the terms of its license. ### Health Score 49 — FairBetter than 95% of packages Maintenance87 Actively maintained with recent releases Popularity6 Limited adoption so far Community15 Small or concentrated contributor base Maturity78 Established project with proven stability Bus Factor2 2 contributors hold 50%+ of commits How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window. **Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores. **Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement. **Maturity (30%)** — Project age, version count, PHP version support, and release stability. ### Release Activity Cadence Every ~344 days Recently: every ~364 days Total 7 Last Release 100d ago Major Versions 1.0.3 → 2.0.02025-01-23 2.0.0 → 3.0.02026-01-22 PHP version history (3 changes)1.0.0PHP >7.2.0 1.0.3PHP >=8.2.0 3.0.0PHP >=8.4.0 ### Community Maintainers ![](https://www.gravatar.com/avatar/97cc863f90ac18a7a620893a0a9cbf099dab4f8e5f853e1fe5a28c64b6dec9cc?d=identicon)[yanis-git](/maintainers/yanis-git) --- Top Contributors [![tejaskgosai](https://avatars.githubusercontent.com/u/126658306?v=4)](https://github.com/tejaskgosai "tejaskgosai (8 commits)")[![nadhiir-ipedis](https://avatars.githubusercontent.com/u/48116583?v=4)](https://github.com/nadhiir-ipedis "nadhiir-ipedis (6 commits)")[![yanis-git](https://avatars.githubusercontent.com/u/4113879?v=4)](https://github.com/yanis-git "yanis-git (5 commits)")[![Copilot](https://avatars.githubusercontent.com/in/1143301?v=4)](https://github.com/Copilot "Copilot (4 commits)")[![MelchiorIpedis](https://avatars.githubusercontent.com/u/126576609?v=4)](https://github.com/MelchiorIpedis "MelchiorIpedis (2 commits)")[![lucasdsm78](https://avatars.githubusercontent.com/u/66834518?v=4)](https://github.com/lucasdsm78 "lucasdsm78 (2 commits)")[![lucas-dsm](https://avatars.githubusercontent.com/u/126459347?v=4)](https://github.com/lucas-dsm "lucas-dsm (1 commits)") ### Embed Badge ![Health badge](/badges/ipedis-http-signature/health.svg) ``` [![Health](https://phpackages.com/badges/ipedis-http-signature/health.svg)](https://phpackages.com/packages/ipedis-http-signature) ``` ### Alternatives [shopware/platform The Shopware e-commerce core 3.3k1.5M3](/packages/shopware-platform)[spatie/laravel-export Create a static site bundle from a Laravel app 646127.9k5](/packages/spatie-laravel-export)[drupal/core Drupal is an open source content management platform powering millions of websites and applications. 19462.3M1.3k](/packages/drupal-core)[prestashop/prestashop PrestaShop is an Open Source e-commerce platform, committed to providing the best shopping cart experience for both merchants and customers. 9.0k15.4k](/packages/prestashop-prestashop)[shopware/core Shopware platform is the core for all Shopware ecommerce products. 595.2M386](/packages/shopware-core)[moonshine/moonshine Laravel administration panel 1.3k217.1k59](/packages/moonshine-moonshine) PHPackages © 2026 [Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)