PHPackages                             upyx/uri-signature - PHPackages - PHPackages  [Skip to content](#main-content)[PHPackages](/)[Directory](/)[Categories](/categories)[Trending](/trending)[Leaderboard](/leaderboard)[Changelog](/changelog)[Analyze](/analyze)[Collections](/collections)[Log in](/login)[Sign up](/register)

1. [Directory](/)
2. /
3. [Utility &amp; Helpers](/categories/utility)
4. /
5. upyx/uri-signature

ActiveLibrary[Utility &amp; Helpers](/categories/utility)

upyx/uri-signature
==================

Sing and verify URIs.

1.1.0(4y ago)12[3 PRs](https://github.com/upyx/uri-signature/pulls)MITPHPPHP ^7.4 || ^8

Since Jan 19Pushed 3y ago1 watchersCompare

[ Source](https://github.com/upyx/uri-signature)[ Packagist](https://packagist.org/packages/upyx/uri-signature)[ RSS](/packages/upyx-uri-signature/feed)WikiDiscussions main Synced today

READMEChangelog (2)Dependencies (5)Versions (6)Used By (0)

upyx/uri-signature
==================

[](#upyxuri-signature)

 **Sing and verify URIs.**

 [![Source Code](https://camo.githubusercontent.com/87f0be76ade3fb7affaca859adaea3a380a387626a1d85655a50c4bf08c7e27f/68747470733a2f2f696d672e736869656c64732e696f2f62616467652f736f757263652d757079782f7572692d2d7369676e61747572652d626c75652e7376673f7374796c653d666c61742d737175617265)](https://github.com/upyx/uri-signature) [![Download Package](https://camo.githubusercontent.com/8a59985ce1d532e5fa9d63e9be8278bce87b8d6fc222d660a361fd83f712ec25/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f762f757079782f7572692d7369676e61747572652e7376673f7374796c653d666c61742d737175617265266c6162656c3d72656c65617365)](https://packagist.org/packages/upyx/uri-signature) [![PHP Programming Language](https://camo.githubusercontent.com/8aa32c1dc7184a9e95f23320f981d848cdbdd69f00b0c8d9ed46052d435c080d/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f7068702d762f757079782f7572692d7369676e61747572652e7376673f7374796c653d666c61742d73717561726526636f6c6f72423d253233383839324246)](https://php.net) [![Read License](https://camo.githubusercontent.com/7a9ac9f359e889d34c02fa138df0531b75b62dde6428a91f010865cd4334a23e/68747470733a2f2f696d672e736869656c64732e696f2f7061636b61676973742f6c2f757079782f7572692d7369676e61747572652e7376673f7374796c653d666c61742d73717561726526636f6c6f72423d6461726b6379616e)](https://github.com/upyx/uri-signature/blob/main/LICENSE) [![Build Status](https://camo.githubusercontent.com/3d0f75304ae1b15a83dc91ef2334884eaa6d2b6693e53857090eaf3c6e284783/68747470733a2f2f696d672e736869656c64732e696f2f6769746875622f776f726b666c6f772f7374617475732f757079782f7572692d7369676e61747572652f6275696c642f6d61696e3f7374796c653d666c61742d737175617265266c6f676f3d676974687562)](https://github.com/upyx/uri-signature/actions/workflows/continuous-integration.yml) [![Codecov Code Coverage](https://camo.githubusercontent.com/97e63b6b79a5f30df848416de2d1486e45b2f0b262dff26f0693af01a5551f59/68747470733a2f2f696d672e736869656c64732e696f2f636f6465636f762f632f67682f757079782f7572692d7369676e61747572653f6c6162656c3d636f6465636f76266c6f676f3d636f6465636f76267374796c653d666c61742d737175617265)](https://codecov.io/gh/upyx/uri-signature) [![Psalm Type Coverage](https://camo.githubusercontent.com/e0c1766b79e1d4c8e7e8a2099dd2f4ce770f243cc6df845cceaddd881355da53/68747470733a2f2f696d672e736869656c64732e696f2f656e64706f696e743f7374796c653d666c61742d7371756172652675726c3d687474707325334125324625324673686570686572642e646576253246676974687562253246757079782532467572692d7369676e6174757265253246636f766572616765)](https://shepherd.dev/github/upyx/uri-signature)

About
-----

[](#about)

A simple tool to sing and verify URIs' query parameters to protect them from fraud. It supports different hash algorithms including HMAC.

It depends on PRS-7 HTTP message implementation. It has been tested with [Guzzle](https://github.com/guzzle/psr7) and [Nyholm](https://github.com/nyholm/psr7), but you can try anyone.

Installation
------------

[](#installation)

Install this package as a dependency using [Composer](https://getcomposer.org).

```
composer require upyx/uri-signature
```

If you got an error `Could not find package psr/http-message-implementation`, it means you miss a PSR-7 implementation. Try

```
composer require nyholm/psr7
```

or

```
composer require guzzlehttp/psr7
```

Usage
-----

[](#usage)

To sign query parameters

```
use GuzzleHttp\Psr7\Uri;
use Upyx\UriSignature\Signer;
$signer = new Signer('sig', 's0me$ecret!', 'sha1');

$uri = new Uri('https://example.com/?sensitive=value');
$signed = $signer->signUriParams($uri);
echo $signed; // https://example.com/?sensitive=value&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY
```

To check them

```
use GuzzleHttp\Psr7\Uri;
use Upyx\UriSignature\Signer;
$signer = new Signer('sig', 's0me$ecret!', 'sha1');

$signed = new Uri('https://example.com/?sensitive=value&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY');
$verified = $signer->verifyUriParams($signed); // true

$hacked = new Uri('https://example.com/?sensitive=changed&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY');
$failed = $signer->verifyUriParams($hacked); // false
```

It signs query parameters only!

```
use GuzzleHttp\Psr7\Uri;
use Upyx\UriSignature\Signer;
$signer = new Signer('sig', 's0me$ecret!', 'sha1');

$signed1 = new Uri('//some.example.com/?sensitive=value&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY');
$signed2 = new Uri('//other.example.com/?sensitive=value&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY');
$signed3 = new Uri('/?sensitive=value&sig=YQ_1AXL5Cdspng1W7SETkdvsLoY');

$verified = $signer->verifyUriParams($signed1); // true
$verifiedToo = $signer->verifyUriParams($signed2); // true
$verifiedAgain = $signer->verifyUriParams($signed3); // true
```

Parameters are being sorted so that the order is not important

```
use GuzzleHttp\Psr7\Uri;
use Upyx\UriSignature\Signer;
$signer = new Signer('sig', 's0me$ecret!', 'sha1');

$signed1 = new Uri('/?param1=value1&param2=vA%20e.&sig=m3EaBLndIFulvWGJqUuxGepv000');
$signed2 = new Uri('/?param2=vA%20e.&param1=value1&sig=m3EaBLndIFulvWGJqUuxGepv000');

$verified = $signer->verifyUriParams($signed1); // true
$verifiedToo = $signer->verifyUriParams($signed2); // true
```

However, ordering of arrays is

```
use GuzzleHttp\Psr7\Uri;
use Upyx\UriSignature\Signer;
$signer = new Signer('sig', 's0me$ecret!', 'sha1');

$signed = new Uri('https://example.com/?param[]=1&param[]=2&sig=TZEYycd_uldtq0B3nHXlETRxT2Y');
$hacked = new Uri('https://example.com/?param[]=2&param[]=1&sig=TZEYycd_uldtq0B3nHXlETRxT2Y');

$verified = $signer->verifyUriParams($signed1); // true
$failed = $signer->verifyUriParams($hacked); // false
```

To check the supported algorithms, the functions [hash\_algos()](https://www.php.net/manual/en/function.hash-algos) and [hash\_hmac\_algos()](https://www.php.net/manual/en/function.hash-hmac-algos)can be used. To use HMAC add the `hmac-` prefix. For example:

```
new Signer('sig', 's0me$ecret!', 'sha1');
new Signer('sig', 's0me$ecret!', 'md5');
new Signer('sig', 's0me$ecret!', 'hmac-sha1');
new Signer('sig', 's0me$ecret!', 'hmac-md5');
```

Contributing
------------

[](#contributing)

Contributions are welcome! To contribute, please familiarize yourself with [CONTRIBUTING.md](CONTRIBUTING.md).

Copyright and License
---------------------

[](#copyright-and-license)

The upyx/uri-signature library is copyright © [Sergey Rabochiy](mailto:upyx.00@gmail.com)and licensed for use under the terms of the MIT License (MIT). Please see [LICENSE](LICENSE) for more information.

###  Health Score

23

—

LowBetter than 26% of packages

Maintenance20

Infrequent updates — may be unmaintained

Popularity4

Limited adoption so far

Community7

Small or concentrated contributor base

Maturity54

Maturing project, gaining track record

 Bus Factor1

Top contributor holds 100% of commits — single point of failure

How is this calculated?**Maintenance (25%)** — Last commit recency, latest release date, and issue-to-star ratio. Uses a 2-year decay window.

**Popularity (30%)** — Total and monthly downloads, GitHub stars, and forks. Logarithmic scaling prevents top-heavy scores.

**Community (15%)** — Contributors, dependents, forks, watchers, and maintainers. Measures real ecosystem engagement.

**Maturity (30%)** — Project age, version count, PHP version support, and release stability.

###  Release Activity

Cadence

Every ~5 days

Total

2

Last Release

1621d ago

### Community

Maintainers

![](https://www.gravatar.com/avatar/0700d9b86802871c7130fc67198af4d38b21341caae3fff5bca9d9fb3f846a65?d=identicon)[upyx](/maintainers/upyx)

---

Top Contributors

[![upyx](https://avatars.githubusercontent.com/u/6064612?v=4)](https://github.com/upyx "upyx (3 commits)")

---

Tags

urlurisignaturesign

### Embed Badge

![Health badge](/badges/upyx-uri-signature/health.svg)

```
[![Health](https://phpackages.com/badges/upyx-uri-signature/health.svg)](https://phpackages.com/packages/upyx-uri-signature)
```

###  Alternatives

[guzzlehttp/psr7

PSR-7 message implementation that also provides common utility methods

8.0k1.1B4.0k](/packages/guzzlehttp-psr7)[aws/aws-sdk-php

AWS SDK for PHP - Use Amazon Web Services in your PHP project

6.3k543.5M2.6k](/packages/aws-aws-sdk-php)[neuron-core/neuron-ai

The PHP Agentic Framework.

2.0k656.1k38](/packages/neuron-core-neuron-ai)[league/uri-components

URI components manipulation library

31940.5M98](/packages/league-uri-components)[sabre/uri

Functions for making sense out of URIs.

29437.7M45](/packages/sabre-uri)[spatie/laravel-export

Create a static site bundle from a Laravel app

674146.0k6](/packages/spatie-laravel-export)

PHPackages © 2026

[Directory](/)[Categories](/categories)[Trending](/trending)[Changelog](/changelog)[Analyze](/analyze)
