Documentation Index
Fetch the complete documentation index at: https://docs.alumio.com/llms.txt
Use this file to discover all available pages before exploring further.
Signs the request body with a cryptographic key and attaches the resulting signature as an HTTP header.
This is a common pattern used by webhooks and APIs to let the receiver verify that a request was sent by a trusted party and that the body has not been tampered with.
Configuration
| Field | Description |
|---|
| Algorithm | The signing algorithm. Choose HMAC when the API provides a shared secret; choose RSA when you sign with your own private key. |
| Shared secret / Private key | The key used to sign the request body. For HMAC this is a shared secret string; for RSA this is a PEM-encoded private key. |
| Header name | The HTTP header the signature will be sent in. |
| Header content | The value placed in the header. Use {signature} as a placeholder for the computed signature. Some APIs require a prefix such as sha256={signature}. |
| Encoding | How the raw signature bytes are encoded: base64 or hex. |
Examples
GitHub webhooks
GitHub signs outgoing webhook payloads with HMAC SHA-256 and sends the signature in the X-Hub-Signature-256 header, prefixed with sha256=.
| Field | Value |
|---|
| Algorithm | HMAC SHA-256 |
| Shared secret | (the webhook secret configured in GitHub) |
| Header name | X-Hub-Signature-256 |
| Header content | sha256={signature} |
| Encoding | Hex |
Shopify webhooks
Shopify signs webhook payloads with HMAC SHA-256 and sends the signature base64-encoded in the X-Shopify-Hmac-Sha256 header.
| Field | Value |
|---|
| Algorithm | HMAC SHA-256 |
| Shared secret | (the webhook signing secret from your Shopify app settings) |
| Header name | X-Shopify-Hmac-Sha256 |
| Header content | {signature} |
| Encoding | Base64 |
RSA-signed requests
Some APIs authenticate requests by having you sign the request body with your RSA private key. The API verifies the signature using the corresponding public key you registered with them.
| Field | Value |
|---|
| Algorithm | RSA SHA-512 |
| Private key (PEM) | (your RSA private key in PEM format) |
| Header name | Signature |
| Header content | {signature} |
| Encoding | Base64 |
AWS API requests use AWS Signature V4, which signs a canonical string of the method, URL, headers, and body hash — not the body alone. Use the dedicated Amazon Web Service (AWS) authentication configurator for those.
