Skip to Content
Authgate 1.9.3 is released 🎉
FeaturesAuth & SecurityRequest Signing

Request Signing

Protect your API requests from tampering and replay attacks using cryptographic signatures.

Request signing adds an extra layer of security to your API calls. Each request is signed with a secret key that only you and Authgate know. This ensures that requests can’t be modified in transit or replayed by attackers.

Why Use Request Signing?

Request signing protects against three types of attacks:

  1. Tampering: Nobody can modify your request data while it travels over the network
  2. Replay Attacks: Attackers can’t capture and replay old requests (each request is only valid once)
  3. Man-in-the-Middle: Even if someone intercepts your request, they can’t forge new ones without your secret key

How It Works

When request signing is enabled, the API client (SDK) automatically:

  1. Creates a unique signature for each request using your request_signing_key
  2. Includes a timestamp and nonce (random number) to prevent replays
  3. Adds these as special headers to the request
  4. Authgate verifies the signature before processing the request

All of this happens automatically - you don’t need to implement anything yourself!

Enabling/Disabling

Request signing can be enabled or disabled in your application settings in the Authgate dashboard.

  • Enabled: All requests must include valid signatures
  • Disabled: Requests work without signatures (less secure)

Important Notes

  • Keep Your Key Secret: Your request_signing_key must be kept secret and secure in your app
  • 10-Second Window: Signatures are only valid for 10 seconds to prevent replay attacks
  • Time Sync: Make sure your app’s system clock is accurate (synchronized with NTP)
  • Works With All Auth Methods: Request signing works alongside Token Auth, Legacy Auth, and anonymous access
Last updated on
Device AuthenticationResponse Signing