http-message-sig

0.2.0 verified Sat Apr 25 auth: no javascript

HTTP Message Signatures implementation conforming to RFC 9421, currently at version 0.2.0 (pre-1.0). Provides synchronous and asynchronous signing and verification of HTTP messages. Forked from ltonetwork/http-message-signatures to address incomplete RFC compliance. Ships TypeScript types. Not audited for security; use with caution.

Common errors

error Cannot find module 'http-message-sig' or its corresponding type declarations. ↓

cause TypeScript may not resolve types for ESM packages if moduleResolution is not set to 'node16' or 'bundler'.

fix

Set 'moduleResolution' to 'node16' or 'bundler' in tsconfig.json.

error ERR_REQUIRE_ESM: require() of ES Module http-message-sig from not supported. ↓

cause Trying to use require() on an ESM-only package.

fix

Use import() syntax or switch to ES modules.

error TypeError: crypto.subtle.generateKey is not a function ↓

cause crypto.subtle is only available in secure contexts (HTTPS/localhost) and Node.js 15+.

fix

Run in a secure context or use Node.js 15+. For Node.js 14 and below, use a polyfill.

Warnings

breaking Package is pre-1.0 (version 0.2.0); API may change without major version bump. ↓

fix Pin to exact version and test upgrades thoroughly.

gotcha ESM-only package; cannot be used with CommonJS require(). ↓

fix Use dynamic import() in CJS or switch to ESM.

gotcha Forked from ltonetwork/http-message-signatures; not fully compliant with RFC 9421 yet. ↓

fix Review RFC 9421 requirements and verify behavior matches your use case.

deprecated Package has not been audited for security. ↓

fix Use only in non-critical environments or perform a security audit before production use.

Install

npm install http-message-sig

yarn add http-message-sig

pnpm add http-message-sig

Imports

sign

wrong

import sign from 'http-message-sig'

correct

import { sign } from 'http-message-sig'

ESM only; named export. No default export.

verify

wrong

const { verify } = require('http-message-sig')

correct

import { verify } from 'http-message-sig'

ESM-only package; CommonJS require() will not work.

SignOptions

wrong

import { SignOptions } from 'http-message-sig'

correct

import type { SignOptions } from 'http-message-sig'

TypeScript users: import types with `import type` to avoid runtime overhead.

Quickstart

Demonstrates signing and verifying an HTTP message with HMAC-SHA256 using async operations.

import { sign, verify } from 'http-message-sig';

const key = await crypto.subtle.generateKey(
  { name: 'HMAC', hash: 'SHA-256' },
  true,
  ['sign', 'verify']
);

const message = {
  method: 'POST',
  url: '/api/data',
  headers: { 'content-type': 'application/json' },
  body: JSON.stringify({ foo: 'bar' })
};

const signature = await sign(message, {
  key: key,
  keyId: 'my-key',
  algorithm: 'hmac-sha256',
  created: Math.floor(Date.now() / 1000),
  expires: Math.floor(Date.now() / 1000) + 3600
});

console.log(signature);

const isValid = await verify(message, signature, {
  key: key,
  algorithm: 'hmac-sha256'
});

console.log('Signature valid:', isValid);