How to implement HMAC Authentication in a RESTful WCF API

Retrieving the user key is just an implementation detail you can do any way you like but on the server it is often stored in a database along with the user name.

The basic approach is real simple.

  1. Somehow the server and the client exchange a shared key for the user to use. This can be done any way you like, including sending an old fashioned dead tree style letter. Quite often this is just the password the user entered.
  2. When the client wants to send a request he builds the complete request and then using the secret key computes a hash over the complete message body (and optionally some of the message headers if required)
  3. Next the client add the computed hash and his username to the message in one of the headers and sends it to the service.
  4. The service retrieves the username from the message header and searches the private keu for that user in its own database.
  5. Next he computes the hash over the message body (and selected headers) using the key to generate its hash.
  6. If the hash the client sends matches the hash the server computes the server knows the message was send by the real client and was not altered in any way.

Really the only tricky part is sharing a secret key with the user and keeping that secure. That is why some services allow for generation of shared keys with a limited life time so you can give the key to a third party to temporarily work on your behalf.

Implementation for HMAC we can find at