Signing HTTP requests

Signing API requests with the private key

The Authorization header is a JWS (signed JWT) that includes few standard claims, plus the digest computed as described above. Below there is a complete example in Python with the relevant comments. Once you compute the JWS, just add it to every request as an Authorization header:

curl -d '{"key1":"value1", "key2":"value2"}' -H "Authorization: Bearer eyJ0e...cYjeaRcw"

For some programming languages, Google provides libraries/wrappers for signing payloads, but this may be achieved in any programming language using standard libraries.

import time

import google.auth.crypt
import google.auth.jwt
import hashlib
import json
import base64

def generate_jwt():
    now = int(time.time())

    payload = {
        "client_id": "51e2389....02d51",
        "client_app_key": "MDAxNmxvY2F0aWMz...D9rgv7_DySaiYgo", 
        "skill": "bt_ro_aisp_sbx_#2.0"
    # a compact stringified json without any whitespaces
    json_payload = json.dumps(payload, separators=(',', ':')).encode("utf-8")

    digest = hashlib.sha256(json_payload).digest()
    b64_digest = base64.b64encode(digest).decode("utf-8")

    # service account email: this is auto-generated by GCP when creating a service account

    # how long this JWS should be valid for.
    #   - each request will have its own JWS so this value should be small

    # build the payload for your signed Authorization header
    payload = {
        'iat': now,
        # expires after 'expiry_length' seconds.
        "exp": now + expiry_length,
        # iss (issuer) should match the service account's email address
        'iss': sa_email,
        # aud (audience) is alwasy ('')
        'aud':  '',
        # sub and email should match the service account's email address
        'sub': sa_email,
        'email': sa_email,
        # a Base64 encoded sha-256 hash of the request payload as described above
        'digest': b64_digest

    # the signing/private key is inside this json file downloaded when creating
    # a public/private key pair for a service account

    # sign with your service account keyfile
    signer = google.auth.crypt.RSASigner.from_service_account_file(sa_keyfile)
    jwt = google.auth.jwt.encode(signer, payload)

    return jwt

if __name__ == '__main__':
  jwt = generate_jwt()

Last updated