HTTP Signatures Playground

Sign, verify, and inspect RFC 9421 HTTP Message Signatures — like jwt.io, for HTTP signatures. Everything runs in your browser using the same @zourzouvillys/httpsig TypeScript library and the Web Crypto API.

🔒 Keys are generated and used locally. Nothing is sent anywhere.

Message & key

Method

URL

Headers — one per line, Name: value

Host: example.com
Content-Type: application/json

Body

Covered components — what the signature protects

Label

Key ID

Signature parameters

created (now) include alg

Expires in (s)

Tag

Nonce

Algorithm

Key source

generate paste PEM HMAC secret

Output

Configure the message and key on the left, then Sign request. The signature base, the Signature-Input and Signature headers, and the full signed request will appear here.

Signed message & key

Method

URL

Headers — include Signature-Input and Signature

Host: example.com
Content-Type: application/json

Body

Algorithm

Verifying key

public key PEM HMAC secret

Verification options

Max age (s)

Clock skew (s)

reject expired

Result

Tip: sign something in the Sign tab and use Send to Verify → to carry the request, headers, and key over automatically.

Signature headers

Signature-Input

Signature

Decoding does not check the signature — it just parses the structured fields, showing the covered components, parameters, and signature bytes. No key required.

Decoded

Paste Signature-Input and Signature header values and press Decode.