PHPackages                             soapbox/signed-requests - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Authentication &amp; Authorization](/categories/authentication)
4. /
5. soapbox/signed-requests

ActiveLibrary[Authentication &amp; Authorization](/categories/authentication)

soapbox/signed-requests
=======================

A wrapper to add the ability to accept signed requests to a Laravel project.

5.1(5y ago)749.7k1[2 issues](https://github.com/Soapbox/SignedRequests/issues)[1 PRs](https://github.com/Soapbox/SignedRequests/pulls)2MITPHPPHP ^7.3 || ^8.0CI failing

Since May 12Pushed 2y ago11 watchersCompare

[ Source](https://github.com/Soapbox/SignedRequests)[ Packagist](https://packagist.org/packages/soapbox/signed-requests)[ RSS](/packages/soapbox-signed-requests/feed)WikiDiscussions master Synced 4d ago

READMEChangelog (9)Dependencies (10)Versions (16)Used By (2)

Signed Requests
===============

[](#signed-requests)

[![Build Status](https://camo.githubusercontent.com/35cfdda9b44dc4d88dc74c9a45a5cfe402b887e9cbcce98570181ed451003707/68747470733a2f2f7472617669732d63692e6f72672f536f6170426f782f5369676e656452657175657374732e7376673f6272616e63683d6d6173746572)](https://travis-ci.org/SoapBox/SignedRequests) [![Coverage Status](https://camo.githubusercontent.com/dd81a080fac766653a757f4e81a7937b5ec46c1ff33e0d1cc2cfa9c0f178d3db/68747470733a2f2f636f766572616c6c732e696f2f7265706f732f6769746875622f536f6170426f782f5369676e656452657175657374732f62616467652e7376673f6272616e63683d6d6173746572)](https://coveralls.io/github/SoapBox/SignedRequests?branch=master) [![Code Climate](https://camo.githubusercontent.com/f1a231cf6f13a8520b95208427447ad59cffceeba5e51438a7a333b33f1e9241/68747470733a2f2f636f6465636c696d6174652e636f6d2f6769746875622f536f6170426f782f5369676e656452657175657374732f6261646765732f6770612e737667)](https://codeclimate.com/github/SoapBox/SignedRequests)

A wrapper to add the ability to accept signed requests to a Laravel project.

Installation
------------

[](#installation)

### Composer

[](#composer)

```
composer require soapbox/signed-requests
```

### Setup the Service Provider

[](#setup-the-service-provider)

Open `config/app.php` and register the required service provider above your application providers.

```
'providers' => [
    ...
    SoapBox\SignedRequests\ServiceProvider::class
    ...
]
```

### Publish the Configuration

[](#publish-the-configuration)

```
php artisan vendor:publish --provider 'SoapBox\SignedRequests\ServiceProvider'
```

### Configuring your Environment

[](#configuring-your-environment)

You will need to set the following details in your environment:

```
SIGNED_REQUEST_ALGORITHM=
SIGNED_REQUEST_CACHE_PREFIX=
SIGNED_REQUEST_SIGNATURE_HEADER=
SIGNED_REQUEST_ALGORITHM_HEADER=
SIGNED_REQUEST_KEY=
SIGNED_REQUEST_ALLOW_REPLAYS=
SIGNED_REQUEST_TOLERANCE_SECONDS=
```

Each of the settings above allows for a different level of configuration.

- `SIGNED_REQUEST_ALGORITHM` is the algorithm that will be used to generate / verify the signature. This is defaulted to use `sha256` feel free to change this to anything that `hash_hmac` accepts.
- `SIGNED_REQUEST_CACHE_PREFIX` is the prefix to use for all the cache keys that will be generated. Here you can use the default if you're not planning on sharing a cache between multiple applications.
- `SIGNED_REQUEST_SIGNATURE_HEADER` should be the request header that the signature will be included on, `X-Signature` will be used by default.
- `SIGNED_REQUEST_ALGORITHM_HEADER` should be the request header that the includes the algorithm used to sign the request.
- `SIGNED_REQUEST_KEY` is the shared secret key between the application generating the requests, and the application consuming them. This value should not be publically available.
- `SIGNED_REQUEST_ALLOW_REPLAYS` allows you to enable or disable replay attacks. By default replays are disabled.
- `SIGNED_REQUEST_TOLERANCE_SECONDS` is the number of seconds that a request will be considered for. This setting allows for some time drift between servers and is only used when replays are disabled.

### Setup the Middleware

[](#setup-the-middleware)

Signed Requests includes a middleware to validate the signature of a request for your automatically. To get started, add the following middleware to the `$routeMiddleware` property of your `app/Http/Kernel.php` file.

```
'verify-signature' => \SoapBox\SignedRequests\Middlewares\Laravel\VerifySignature::class
```

### Verify the Signature

[](#verify-the-signature)

The `verify-signature` middleware may be assigned to a route to verify the signature of the incoming request to verify its authenticity:

```
Route::get('/fire', function () {
    return "You'll only see this if the signature of the request is valid!";
})->middleware('verify-signature');
```

### Setting Up Additional Keys

[](#setting-up-additional-keys)

You can also set up additional keys to use if you want different keys for different endpoints.

Add them to your environment:

```
CUSTOM_SIGNED_REQUEST_ALGORITHM=
CUSTOM_SIGNED_REQUEST_CACHE_PREFIX=
CUSTOM_SIGNED_REQUEST_SIGNATURE_HEADER=
CUSTOM_SIGNED_REQUEST_ALGORITHM_HEADER=
CUSTOM_SIGNED_REQUEST_KEY=
CUSTOM_SIGNED_REQUEST_ALLOW_REPLAYS=
CUSTOM_SIGNED_REQUEST_TOLERANCE_SECONDS=
```

Update the configuration in `signed-requests.php`

```
    'default' => [
        ...
    ],
    'custom' => [
        'algorithm' => env('CUSTOM_SIGNED_REQUEST_ALGORITHM', 'sha256'),
        'cache-prefix' => env('CUSTOM_SIGNED_REQUEST_CACHE_PREFIX', 'signed-requests'),
        'headers' => [
            'signature' => env('CUSTOM_SIGNED_REQUEST_SIGNATURE_HEADER', 'X-Signature'),
            'algorithm' => env('CUSTOM_SIGNED_REQUEST_ALGORITHM_HEADER', 'X-Signature-Algorithm')
        ],
        'key' => env('CUSTOM_SIGNED_REQUEST_KEY', 'key'),
        'request-replay' => [
            'allow' => env('CUSTOM_SIGNED_REQUEST_ALLOW_REPLAYS', false),
            'tolerance' => env('CUSTOM_SIGNED_REQUEST_TOLERANCE_SECONDS', 30)
        ]
    ]
```

Set up your route to use the custom key. The param you pass must be the same name as the key you set in the configuration in `signed-requests.php`

```
Route::get('/fire', function () {
    return "You'll only see this if the signature of the request is valid!";
})->middleware('verify-signature:custom');
```

### Signing Postman Requests

[](#signing-postman-requests)

If you, like us, like to use [postman](https://www.getpostman.com/) to share your api internally you can use the following pre-request script to automatically sign your postman requests:

```
function guid() {
  function s4() {
    return Math.floor((1 + Math.random()) * 0x10000)
      .toString(16)
      .substring(1);
  }
  return s4() + s4() + '-' + s4() + '-' + s4() + '-' +
    s4() + '-' + s4() + s4() + s4();
}

function getTimestamp() {
    var date = (new Date()).toISOString();
    date = date.split("T");
    date[1] = date[1].split(".")[0];
    return date.join(' ');
}

postman.setEnvironmentVariable("x-signed-id", guid());
postman.setEnvironmentVariable("x-signed-timestamp", getTimestamp());
postman.setEnvironmentVariable("x-algorithm", "sha256");

var payload = {
    "id": postman.getEnvironmentVariable("x-signed-id"),
    "method": request.method,
    "timestamp": postman.getEnvironmentVariable("x-signed-timestamp"),
    "uri": request.url.replace("{{url}}", postman.getEnvironmentVariable("url")),
    "content": (Object.keys(request.data).length === 0) ? "" : JSON.stringify(JSON.parse(request.data))
};

var hash = CryptoJS.HmacSHA256(JSON.stringify(payload), postman.getEnvironmentVariable("key"));
var signature = hash.toString();

postman.setEnvironmentVariable("x-signature", signature);
```

Note for this to work you'll have to setup your environment to have the following variables:

- `{{url}}` this is the base url to the api you'll be hitting.
- `{{key}}` this is the shared secret key you'll be using in your environment.

All other environment variables that will be needed will be automatically generated by the above script.

###  Health Score

38

—

LowBetter than 83% of packages

Maintenance14

Infrequent updates — may be unmaintained

Popularity30

Limited adoption so far

Community20

Small or concentrated contributor base

Maturity76

Established project with proven stability

 Bus Factor1

Top contributor holds 84.6% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~137 days

Recently: every ~12 days

Total

12

Last Release

1826d ago

Major Versions

v0.2 → v1.0.02018-04-12

v1.0.0 → 2.0.02018-09-28

v2.0.1 → v3.02020-01-20

v3.0 → 4.02021-05-05

4.0 → 5.12021-05-14

PHP version history (3 changes)v0.1PHP &gt;=7.1

v3.0PHP &gt;=7.2

5.1PHP ^7.3 || ^8.0

### Community

Maintainers

![](https://avatars.githubusercontent.com/u/1336930?v=4)[Graham McCarthy](/maintainers/grahammccarthy)[@grahammccarthy](https://github.com/grahammccarthy)

---

Top Contributors

[![Jaspaul](https://avatars.githubusercontent.com/u/2836589?v=4)](https://github.com/Jaspaul "Jaspaul (77 commits)")[![lucasppons](https://avatars.githubusercontent.com/u/27508272?v=4)](https://github.com/lucasppons "lucasppons (9 commits)")[![JaskirtPooni](https://avatars.githubusercontent.com/u/3004458?v=4)](https://github.com/JaskirtPooni "JaskirtPooni (3 commits)")[![devsquad-leandro-santos](https://avatars.githubusercontent.com/u/83614465?v=4)](https://github.com/devsquad-leandro-santos "devsquad-leandro-santos (1 commits)")[![itsobiwong](https://avatars.githubusercontent.com/u/5666417?v=4)](https://github.com/itsobiwong "itsobiwong (1 commits)")

---

Tags

laravelrequestssignedsigned-requestslaravelrequestssignedsigned requests

###  Code Quality

TestsPHPUnit

### Embed Badge

![Health badge](/badges/soapbox-signed-requests/health.svg)

```
[![Health](https://phpackages.com/badges/soapbox-signed-requests/health.svg)](https://phpackages.com/packages/soapbox-signed-requests)
```

###  Alternatives

[laravel/framework

The Laravel Framework.

34.8k543.8M19.5k](/packages/laravel-framework)[laravel/horizon

Dashboard and code-driven configuration for Laravel queues.

4.2k95.4M284](/packages/laravel-horizon)[roots/acorn

Framework for Roots WordPress projects built with Laravel components.

9762.4M123](/packages/roots-acorn)[laravel/socialite

Laravel wrapper around OAuth 1 &amp; OAuth 2 libraries.

5.7k108.5M846](/packages/laravel-socialite)[spatie/laravel-responsecache

Speed up a Laravel application by caching the entire response

2.8k8.7M64](/packages/spatie-laravel-responsecache)[psalm/plugin-laravel

Psalm plugin for Laravel

3355.3M337](/packages/psalm-plugin-laravel)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
