> ## Documentation Index
> Fetch the complete documentation index at: https://docs.alumio.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Request body signing

> Signs the request body with a key and attaches the signature as a header. Supports HMAC (SHA-256, SHA-512) and RSA (SHA-256, SHA-512).

export const FormField = ({property, label, required = false, diType, uiPatterns, children}) => {
  const patterns = Array.isArray(uiPatterns) ? uiPatterns : uiPatterns ? [uiPatterns] : [];
  return <div style={{
    margin: '1.5rem 0'
  }}>
      <div style={{
    display: 'flex',
    alignItems: 'baseline',
    flexWrap: 'wrap',
    gap: '0.5rem',
    marginBottom: '0.25rem'
  }}>
        <strong>{label}</strong>
        <span style={{
    fontSize: '0.7rem',
    fontWeight: 600,
    textTransform: 'uppercase',
    letterSpacing: '0.04em',
    color: required ? '#6241f5' : '#6b7280'
  }}>
          {required ? 'Required' : 'Optional'}
        </span>
      </div>

      <div>{children}</div>

      {diType || patterns.length > 0 ? <p style={{
    fontSize: '0.85rem',
    color: '#6b7280',
    marginBottom: 0
  }}>
          {diType ? <>
              See the <a href={`/references/${diType}`}>{diType}</a> reference.{' '}
            </> : null}
          {patterns.length > 0 ? <>
              Accepts a <a href={`/documentation/placeholders-and-patterns/patterns#${patterns[0]}`}>pattern</a>.
            </> : null}
        </p> : null}
    </div>;
};

Signs the request body with a cryptographic key and attaches the resulting signature as an HTTP header. This is a common pattern for webhooks and APIs: it lets the receiver confirm that a request came from a trusted party and that the body has not been changed along the way. Add it to an HTTP API connection and every request is signed automatically. It supports HMAC (with a shared secret) and RSA (with your private key), each in SHA-256 and SHA-512.

This documentation describes: [Schema](/schemas/http-authentication-configurator/request-signing)

## Fields

<FormField property="algorithm" label="Algorithm" required>
  The signing method. Choose an HMAC option when the API gives you a shared secret known to both sides. Choose an RSA option when you sign with your own private key and the API verifies with the matching public key. The choices are HMAC SHA-256, HMAC SHA-512, RSA SHA-256, and RSA SHA-512. Your choice here decides what the next field asks for.
</FormField>

<FormField property="key" label="Shared secret / Private key" required>
  The key used to sign the request body. For an HMAC algorithm this is the **shared secret** agreed with the API provider. For an RSA algorithm this is your **private key in PEM format**; the provider verifies the signature with the corresponding public key. Either way it is sensitive, so store it in an environment variable and reference it here rather than typing it in plainly.
</FormField>

<FormField property="headerName" label="Header name" required>
  The HTTP header the signature is sent in. Defaults to `Signature`. Set it to whatever the API expects, for example `X-Signature` or `X-Hub-Signature-256`.
</FormField>

<FormField property="headerTemplate" label="Header content" required>
  The value placed in the header. Use `{signature}` where the computed signature should go. Defaults to `{signature}` (just the signature on its own). Some APIs expect a prefix, for example `sha256={signature}` for GitHub-style headers.
</FormField>

<FormField property="encoding" label="Encoding" required>
  How the raw signature bytes are turned into text before being placed in the header. Base64 (the default) is the most common; some APIs expect Hex instead.
</FormField>

## Sample data

This feature signs outgoing requests rather than transforming data, so there is no before/after to show. A typical configuration for GitHub-style webhook signing, which uses HMAC SHA-256 with a `sha256=` prefix, looks like this:

| Field          | Value                 |
| -------------- | --------------------- |
| Algorithm      | HMAC SHA-256          |
| Shared secret  | `your-webhook-secret` |
| Header name    | `X-Hub-Signature-256` |
| Header content | `sha256={signature}`  |
| Encoding       | Hex                   |

With these settings, every request carries a header such as `X-Hub-Signature-256: sha256=<computed signature of the body>`.

```json Configuration theme={null}
{
  "prototype": "request-signing",
  "parameters": {
    "algorithm": "hmac-sha256",
    "key": "your-webhook-secret",
    "headerName": "X-Hub-Signature-256",
    "headerTemplate": "sha256={signature}",
    "encoding": "hex"
  }
}
```
