I am building a REST API that will receive requests like:
GET /api/entities
GET /api/entities?filter=X&sort=Y
This seems straight forward: have the client HMAC(path + query, key), send me a key identifier and HMAC in a header or something, and then I do the same on the server to see if they match.
Here’s my concern:
POST /api/entities
{ "foo": "bar" }
If the client computes the HMAC on that path and query, theoretically that HMAC could be used to submit any body.
tl;dr How would one properly implement request signing for GET, POST, PUT requests that may or may not have a JSON body?