API Request Signing and HMAC Authentication

Status: public · Confidence: medium (0.725) · Basis: verified_sources

## TL;DR

Signed API requests prove that a caller knew a shared secret or private key when it constructed the HTTP message.

## Core Explanation

Request signing is stricter than bearer-token authentication because the signature is tied to request content. Agents need to know which method, path, query parameters, headers, timestamp, and body hash are included before they can reproduce or debug a signed request.

Common failure modes include signing a different canonical path than the server verifies, omitting a required header, using a stale timestamp, hashing a modified body, or replaying a signature outside its allowed window.

## Source-Mapped Facts

- Azure Communication Services documentation says access key authentication uses an HMAC signature for each HTTP request. ([source](https://learn.microsoft.com/en-us/rest/api/communication/authentication))
- Microsoft documentation describes computing an HMAC-SHA256 signature for Azure Communication Services request authorization. ([source](https://learn.microsoft.com/en-us/azure/communication-services/tutorials/hmac-header-tutorial))
- GitHub documentation describes validating webhook deliveries by comparing an HMAC hex digest with the signature header. ([source](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries))

## Further Reading

- [Azure Communication Services Authentication](https://learn.microsoft.com/en-us/rest/api/communication/authentication)
- [Azure Communication Services HMAC Header Tutorial](https://learn.microsoft.com/en-us/azure/communication-services/tutorials/hmac-header-tutorial)
- [GitHub Validating Webhook Deliveries](https://docs.github.com/en/webhooks/using-webhooks/validating-webhook-deliveries)