Skip to main content

Flask HMAC generator, checker, and route decorator

Project description

This module provides three functions to authenticate calls to a Flask route. The intended use case is for use with REST APIs. This module is not intended to do any kind of login or session management, it is simply designed to check that a client is entitled to access a particular route in a Flask application, based on the fact that it must possess a copy of the shared/secret key.


Usage consists of a server decorator or calling the render_hmac function, and a client (or function in the server application) passing a base64 encoded HMAC.

Server/Application Usage

To use this module in your application, add an ‘HMAC_KEY’ to your application’s config object. For example:

HMAC_KEY = 2a21c5b3bff0299c0161470468f355e5b4afcf17a5f593ab68394e

The three provided methods are:

  1. check_wrapper() decorator function, which wraps a route with a call to:

2. compare_hmacs() function, which compares a client supplied token with a server generated token. If the two match, return the decorated function. If not, return a 403 response.

  1. render_hmac() function, which, you guessed it, generates an hmac.

To use this module, instantiate it like this:

from flask_hmac import Hmac
app = Flask(__name__)
hm = Hmac(app)

Now you can decorate a route with the @hm.check_hmac decorator like so:

@app.route('/path/to/api/endpoint', METHODS = ['PUT', 'POST'])

Lastly, you can temporarily disable the check_hmac validation with a config value. Make a variable HMAC_DISARM = True in your app.config object. This setting is useful for testing as it allows you to leave all decorator calls in place for routes/blueprints.

Client usage

To pass an HMAC from your client, send a base64 url safe encoded header of the HMAC like this:

"HMAC: UKW-EaC9diBPuRTgwaUprw4pf4h1nTJyClCT48dbhQo"

Ensure that any trailing = characters are stripped and you should be all set.


1. Allow using any kind of rendered HMAC like hexdigest instead of only base64 url safe.

2. Create self.status_code and self.message variables for use on __init__ to allow custom responses on HMAC comparison failure.

Project details

Release history Release notifications

History Node


This version
History Node


History Node


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Filename, size & hash SHA256 hash help File type Python version Upload date
Flask-HMAC-0.1.2.tar.gz (3.9 kB) Copy SHA256 hash SHA256 Source None Jun 19, 2014

Supported by

Elastic Elastic Search Pingdom Pingdom Monitoring Google Google BigQuery Sentry Sentry Error logging CloudAMQP CloudAMQP RabbitMQ AWS AWS Cloud computing Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page