HTTP requests will be signed with a shared secret key using HMAC. The string to sign format is:
<Method>\n
<Content-MD5>\n
<Content-Type>\n
<Date>\n
<URL>
Example String-to-sign
POST
vVqHE1k/uBRCoWe0FAh95g==
application/json
Tue, 12 Jan 2016 14:57:28 GMT
/api/v1/avatars
Example Authorization Header with HMAC signature
Authorization: HMAC XH+v0qhV4i/89y/DT2OOJx9Kjf3f/0j+w2aGZk625nU=
$ pip install httpie-hmac-auth
You should now see hmac
under --auth-type
in $ http --help
output.
$ http --auth-type=hmac --auth='client:secret' example.org
To authenticate a client request when an access key is required by the server to lookup the shared secret:
$ http --auth-type=hmac --auth="client:secret" example.org
To authenticate a client request when there is no requirement for a client to supply an access key:
$ http --auth-type=hmac --auth=":secret" example.org
Copyright (c) 2016 The Guardian. Available under the MIT License.