phelps-sg / play-hmac-signatures   0.5.5

Apache License 2.0 GitHub

A Play Framework module to build actions that validate HMAC signatures

Scala versions: 2.13 2.12


GitHub Workflow Status GitHub release (latest by date) GitHub


Add the following to build.sbt

libraryDependencies += "com.mesonomics" %% "play-hmac-signatures" % "0.5.5"

Example usage

To validate an HMAC signature in a play controller mixin the HMACSignatureHelpers trait.

The test action in the example controller below will echo back the message only if the request is correctly signed. On the other hand, if the signature is invalid it will return a 401 status.

import akka.util.ByteString
import com.mesonomics.playhmacsignatures.{
import play.api.libs.json.{JsValue, Json}
import play.api.mvc.{Action, BaseController, ControllerComponents}

import javax.xml.bind.DatatypeConverter
import scala.concurrent.{ExecutionContext, Future}

class TestController(
                      val controllerComponents: ControllerComponents,
                      implicit val signatureVerifyAction: SlackSignatureVerifyAction
                    )(implicit ec: ExecutionContext)
  extends BaseController
    with HMACSignatureHelpers {

  private val onSignatureValid = validateSignatureAsync(Json.parse)(_)

  def test: Action[ByteString] =
    onSignatureValid { body: JsValue =>
      Future.successful {
        val message = body("message")

SlackSignatureVerifyAction looks for the following headers:


and the signing secret is taken from the following configuration key:


To use different headers and/or configuration key, subclass SignatureVerifyAction and override abstract members.