PHPackages                             ovarun/laravel-hmac-auth - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. ovarun/laravel-hmac-auth

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

ovarun/laravel-hmac-auth
========================

Secure HMAC authentication module for Laravel APIs

v1.0.0(11mo ago)11MITPHPPHP ^8.0

Since Jul 24Pushed 11mo agoCompare

[ Source](https://github.com/ovarun/laravel-hmac-auth)[ Packagist](https://packagist.org/packages/ovarun/laravel-hmac-auth)[ RSS](/packages/ovarun-laravel-hmac-auth/feed)WikiDiscussions main Synced today

READMEChangelog (1)Dependencies (1)Versions (4)Used By (0)

🔐 Laravel HMAC Auth Package
===========================

[](#-laravel-hmac-auth-package)

[![Latest Version on Packagist](https://camo.githubusercontent.com/33f485ce8ebf979247b9af670db2bcbe4f4800e18ce6629ccc9ccf2efc10efc4/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f6f766172756e2f6c61726176656c2d686d61632d617574682e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ovarun/laravel-hmac-auth)[![Total Downloads](https://camo.githubusercontent.com/43606c0b49665c8f92a7f9f2980653693a62e1cec0dae2a0c8a2d381e7fda3d5/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f64742f6f766172756e2f6c61726176656c2d686d61632d617574682e7376673f7374796c653d666c61742d737175617265)](https://packagist.org/packages/ovarun/laravel-hmac-auth)

Secure, stateless HMAC authentication for Laravel APIs — built for partner APIs, internal microservices, and multi-platform consumers (Angular, .NET, Python, Drupal).

---

📦 Requirements
--------------

[](#-requirements)

- PHP 8.0+
- Laravel 10.x
- Composer
- OpenSSL / `hash_pbkdf2` support

---

🚀 Installation
--------------

[](#-installation)

Install directly via Packagist:

```
composer require ovarun/laravel-hmac-auth
```

Publish the config and migrations:

```
php artisan vendor:publish --tag=hmac-auth
php artisan migrate
```

---

⚙️ Initial Setup
----------------

[](#️-initial-setup)

Run the interactive setup to auto-generate secure HMAC key and salt:

```
php artisan hmac:setup
```

This adds to your `.env`:

```
HMAC_SECRET_GENERATOR_KEY='...'
HMAC_SECRET_GENERATOR_SALT='...'

```

These are used for deterministic, secure secret generation per client.

---

🔐 Register HMAC Clients
-----------------------

[](#-register-hmac-clients)

Register a new client via:

```
php artisan hmac:client-create
```

- Prompts for Client Name (and optional Client ID)
- Normalizes ID (lowercase, hyphenated, clean)
- Generates PBKDF2-based 256-bit secret
- Saves to `hmac_clients` table

---

🛡 Middleware Usage
------------------

[](#-middleware-usage)

Apply HMAC protection to your API routes.

### Register Middleware in `app/Http/Kernel.php`:

[](#register-middleware-in-apphttpkernelphp)

```
'verify.hmac' => \Ovarun\HmacAuth\Http\Middleware\VerifyHmacSignature::class,
```

### Use in Routes:

[](#use-in-routes)

```
Route::middleware('verify.hmac')->group(function () {
    Route::post('/api/secure-endpoint', [SecureController::class, 'handle']);
});
```

---

📤 Client-Side Authentication
----------------------------

[](#-client-side-authentication)

Clients must include these HTTP headers:

```
X-CLIENT-ID: partner-app-1
X-TIMESTAMP: 2025-07-24T14:05:00Z
X-SIGNATURE: {hmac_sha256_signature}

```

Signature is built from:

```
$message = $timestamp . $method . $path . $body

```

Then:

```
hash_hmac('sha256', $message, $clientSecret);
```

---

🧪 Security Best Practices
-------------------------

[](#-security-best-practices)

- Always use HTTPS
- Rotate secrets on a schedule
- Use short timestamp tolerance (`config/hmac.php`)
- Pair with IP whitelisting or rate limits
- Never log or expose the secret in responses

---

📄 License
---------

[](#-license)

MIT © [arun o v](https://packagist.org/packages/ovarun/laravel-hmac-auth)

###  Health Score

28

—

LowBetter than 52% of packages

Maintenance51

Moderate activity, may be stable

Popularity3

Limited adoption so far

Community6

Small or concentrated contributor base

Maturity44

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~0 days

Total

3

Last Release

345d ago

Major Versions

v1.x-dev → v2.x-dev2025-07-24

PHP version history (2 changes)v1.0.0PHP ^8.0

v2.x-devPHP ^8.3

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/26575962?v=4)[Arun o v](/maintainers/ovarun)[@ovarun](https://github.com/ovarun)

---

Top Contributors

[![ovarun](https://avatars.githubusercontent.com/u/26575962?v=4)](https://github.com/ovarun "ovarun (5 commits)")

### Embed Badge

![Health badge](/badges/ovarun-laravel-hmac-auth/health.svg)

```
[![Health](https://phpackages.com/badges/ovarun-laravel-hmac-auth/health.svg)](https://phpackages.com/packages/ovarun-laravel-hmac-auth)
```

###  Alternatives

[directorytree/ldaprecord-laravel

LDAP Authentication &amp; Management for Laravel.

5752.3M18](/packages/directorytree-ldaprecord-laravel)[illuminate/auth

The Illuminate Auth package.

10528.2M1.2k](/packages/illuminate-auth)[althinect/filament-spatie-roles-permissions

3481.1M10](/packages/althinect-filament-spatie-roles-permissions)[hasinhayder/tyro

Tyro - The ultimate Authentication, Authorization, and Role &amp; Privilege Management solution for Laravel 12 &amp; 13

6804.7k6](/packages/hasinhayder-tyro)[masterix21/laravel-licensing

Laravel licensing package with polymorphic assignment to any model, activation keys, expirations/renewals, and seat control via LicenseUsage. Supports offline verification with public-key–signed tokens, a CLI to generate/rotate/revoke keys, and an extensible architecture via config and contracts.

1563.1k4](/packages/masterix21-laravel-licensing)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
