[kichik]

Not exactly the point of this article, but it would be cool if APIs like this can return the expected signed string for debugging. It would have to be properly limited for security. But if the API is expecting non-standard signatures, it could help developers with better debugging tools.

[lillesvin]

Given that you can't infer the error from simply looking at the signature string, I don't see how having the expected string rather than a simple "OK" or "mismatched signature" (as you get now) would make a difference?

[kichik]

You can save the expected string to a file, save your string to a file, and run diff on a hexdump of both. Even without hexdump, you should see the difference between "\n" and "\\n" in properly escaped output.

[lillesvin]

But the returned signed string will be an HMAC-SHA256 hash, won't it? Then there's not going to be any '\n' or '\\n's in there. Only thing you'll be able to tell is if it matches your hash or not, in which case 'OK' or 'not OK' will work just as well.

Or am I misunderstanding you?

[kichik]

You are indeed misunderstanding me. I am talking about returning the entire string to be signed. Not the result of the signature.

[lillesvin]

Ah, my bad. Sorry.

But couldn't you then just make the call to an echo service (like HTTPbin) or simply dump the request when you send it?

[kichik]

The echo server will have no knowledge on how to construct the string to be signed.