SquareWidget.HMAC.Server.Core 3.0.0

Install-Package SquareWidget.HMAC.Server.Core -Version 3.0.0
dotnet add package SquareWidget.HMAC.Server.Core --version 3.0.0
<PackageReference Include="SquareWidget.HMAC.Server.Core" Version="3.0.0" />
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add SquareWidget.HMAC.Server.Core --version 3.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.
#r "nuget: SquareWidget.HMAC.Server.Core, 3.0.0"
#r directive can be used in F# Interactive, C# scripting and .NET Interactive. Copy this into the interactive tool or source code of the script to reference the package.
// Install SquareWidget.HMAC.Server.Core as a Cake Addin
#addin nuget:?package=SquareWidget.HMAC.Server.Core&version=3.0.0

// Install SquareWidget.HMAC.Server.Core as a Cake Tool
#tool nuget:?package=SquareWidget.HMAC.Server.Core&version=3.0.0
The NuGet Team does not provide support for this client. Please contact its maintainers for support.


Middleware HMAC-based authentication service for ASP.NET Core 2.1 Web Api.


Build status


ASP.NET Core 2.1

Getting Started

See the documentation for usage. Download the NuGet package in your ASP.NET Core 2.1 API. Implement a shared secret store service from abstract base class SharedSecretStoreService as in this example:

using SquareWidget.HMAC.Server.Core;
using System.Threading.Tasks;

namespace SquareWidget.ExampleApi
    public class MySharedSecretStoreService : SharedSecretStoreService
        public override Task<string> GetSharedSecretAsync(string clientId)
            // TODO: Use clientId to get the shared secret from 
			// Azure Key Vault, IdentityServer4, or a database
            return Task.Run(() => "P@ssw0rd");

Add to ConfigureServices method in Startup.cs to register the authentication handler:

    .AddHmacAuthentication<MySharedSecretStoreService>(o => { });


By default the authentication handler looks for two request headers called "Hash" and "Timestamp" but these can be overridden if the client passes in another value in the request header:

    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
        o.HashHeaderName = "MyHash";
        o.TimestampHeaderName = "MyTimestamp";

There is a replay attack value of 15 seconds. This can be overridden which is especially useful when debugging code:

    .AddHmacAuthentication<MySharedSecretStoreService>(o => 
        o.ReplayAttackDelayInSeconds = 900; // 15 mins

Client Side

Use SquareWidget.HMAC.Client.Core package. See the documentation. Bring in the package and use HmacHttpClient:

var baseUri = "https://localhost:12345";
var credentials = new ClientCredentials
    ClientId = "testClient",
    ClientSecret = "testSecret"

var requestUri = "api/widgets/1";
using (var client = new HmacHttpClient(baseUri, credentials))
    var widget = client.Get<Widget>(requestUri).Result;
    // do something with widget ID 1...


Version 2.1.0 targeting ASP.NET Core 2.1


James Still


This project is licensed under the MIT License.


NuGet packages

This package is not used by any NuGet packages.

GitHub repositories

This package is not used by any popular GitHub repositories.

Version Downloads Last updated
3.0.0 80 5/8/2021
2.1.0 1,936 12/8/2018
1.0.0 434 12/3/2018

Now targets .NET 5.0. Also timestamp now uses ISO 8601 sortable format specifier "s" instead of round-trip "o" in order to faciliate API testing with javascript.