Sign- and validate- data (dictionaries, strings) using symmetric-key algorithm.

sign data, sign (HTTP) request, symmetric-key algorithm, encryption, sign URL
npm install skajs@0.0.6



Lets you easily sign data, using symmetric-key algorithm encryption. Allows you to validate signed data and identify possible validation errors. Uses sha/hmac for signature encryption. Comes with shortcut functions for signing (and validating) dictionaries and URLs.

Key concepts

Hosts, that communicate with each other, share the Secret Key, which is used to sign data (requests). Secret key is never sent around.

One of the cases is signing of HTTP requests. Each (HTTP) request is signed on the sender side using the shared Secret Key and as an outcome produces the triple (signature, auth_user, valid_until) which are used to sign the requests.

  • signature (string): Signature generated.
  • auth_user (string): User making the request. Can be anything.
  • valid_until (float or string): Signature expiration time (Unix timestamp).

On the recipient side, (HTTP request) data is validated using the shared Secret Key. It's being checked whether signature is valid and not expired.

    ┌─────────────┐           Data              ┌─────────────┐
    │   Host 1    ├────────────────────────────>│   Host 2    │
    │ ─────────── │                             │ ─────────── │
    │ secret key  │                             │ secret key  │
    │ 'my-secret' │<────────────────────────────┤ 'my-secret' │
    └─────────────┘           Data              └─────────────┘


  • Sign dictionaries.
  • Validate signed dictionaries.
  • Sign URLs. Append and sign additional URL data.
  • Validate URLs.


Latest stable version from NPM registry:

npm install skajs

Usage examples

Usage example are present for both CommonJS and ESM.


node examples.js


node examples.mjs

Basic usage

Sender side

Signing dictionaries is as simple as follows.

Required imports.


const { signatureToDict } = require("skajs");


import { signatureToDict } from "skajs";
Sign data
const signatureDict = signatureToDict("user", "your-secret_key", null, null, {
    1: "1",
    2: "2",

Sample output:

    "signature": "YlZpLFsjUKBalL4x5trhkeEgqE8=",
    "auth_user": "user",
    "valid_until": "1378045287.0"

Default lifetime of a signature is 10 minutes (600 seconds). If you want it to be different, provide a lifetime argument to signUrl function.

Default name of the (GET) param holding the generated signature value is signature. If you want it to be different, provide a signatureParam argument to signatureToDict function.

Default name of the (GET) param holding the authUser value is auth_user. If you want it to be different, provide a authUserParam argument to signatureToDict function.

Default name of the (GET) param holding the validUntil value is valid_until. If you want it to be different, provide a validUntilParam argument to signatureToDict function.

Note, that by default a suffix '?' is added after the given url and generated signature params. If you want that suffix to be custom, provide a suffix argument to the signatureToDict function. If you want it to be gone, set its' value to empty string.

Adding of additional data to the signature works in the same way:

signature_dict = signatureToDict("user", "your-secret_key", null, null, {
    email: "",
    first_name: "John",
    last_name: "Doe",

Sample output:

    "auth_user": "user",
    "email": "",
    "extra": "email,first_name,last_name",
    "first_name": "John",
    "last_name": "Doe",
    "signature": "cnSoU/LnJ/ZhfLtDLzab3a3gkug=",
    "valid_until": 1387616469.0

Recipient side

Validating the signed request data is as simple as follows.

Required imports


const { validateSignedRequestData } = require("skajs");


import { validateSignedRequestData } from "skajs";
Validate signed requests

Validating the signed request data. Note, that data value is expected to be a dictionary; request.GET is given as an example. It will most likely vary from what's used in your framework (unless you use Django).

validationResult = validateSignedRequestData(
    request.GET, // Note, that ``request.GET`` is given as example.


Simply type:

npm test

Code style

The Prettier is used.

npx prettier --write .




For any issues contact me at the e-mail given in the Author section.


Artur Barseghyan