Does the API store signed URLs?

No. It is fully stateless; secrets and payloads are not persisted.

What algorithms are supported?

HMAC-SHA256 by default; HMAC-SHA512 via the algorithm field. See RapidAPI docs for details.

What are POST /sign and POST /verify?

POST /sign returns a signed_url with embedded constraints. POST /verify validates a signed URL against secret, method, client IP, headers, and payload size.

Where are pricing and quotas defined?

On RapidAPI: Basic is free with 100 requests per month; Pro is 9.99 dollars per month with 10000 requests; Ultra is 49.99 dollars per month with 100000 requests; Mega is 99.99 dollars per month with 250000 requests. Overage pricing is on the live listing.

Presign and Verify URLs With HMAC—No Sessions, No Storage

POST /sign turns a base URL plus constraints into a tamper-proof signed URL (expiry, HTTP method, IP allowlist, headers, max payload). POST /verify checks a client request against the same secret—ideal for downloads, uploads, callbacks, and CDN gates. HMAC-SHA256 (default) or SHA512. Fully stateless.

Try URL Signature Presigner on RapidAPI Basic on RapidAPI: 100 requests/month free (see live listing for current quotas)

Skip bespoke HMAC and canonicalization bugs. One service handles deterministic URL canonicalization, clock-skew-aware expiry, and structured verification diagnostics—so your edge workers and gateways stay thin.

Endpoints

Same RapidAPI host for both; send JSON with Content-Type: application/json.

`POST /sign`

Returns signed_url (and metadata). Requires url, secret, and either expiration or expires_in_seconds.

`POST /verify`

Validates signedUrl with secret and optional method, clientIp, headers, payloadSize. Returns valid and per-check detail.

Use cases

Time-limited downloads — share a file link that expires automatically.
Direct uploads — constrain method, size, and window without exposing long-lived credentials.
Webhooks & callbacks — issue URLs valid only for a method and time range.
CDN / edge gates — verify at the edge without a database lookup.

Why not roll your own signer?

Canonical URL and query ordering mistakes break signatures silently
Clock skew and replay windows are easy to get wrong
Constraint encoding must stay in lockstep between sign and verify

This API keeps sign and verify behavior aligned and returns explicit check results on verification failures.

Who it helps

Backend and platform engineers standardizing temporary access
Teams using Cloudflare Workers, Lambda@Edge, or API gateways
SaaS products exposing one-off or short-lived resource links

Questions or feature requests? Use RapidAPI discussions for this listing.

Request, response & errors

Host: url-signature-presigner-api.p.rapidapi.com — headers x-rapidapi-key, x-rapidapi-host.

Sign request fields · Sign response · Verify request · Error codes

Field	Type	Description
`url`	string	Required. Base URL to sign (`http`/`https`).
`secret`	string	Required. Signing secret (never returned).
`expiration`	number / string	Unix time or ISO 8601 (use this or TTL, not both).
`expires_in_seconds`	number	Relative TTL from now.
`method`	string / array	Allowed HTTP method(s).
`allowedIps`	string / array	IPs or CIDRs.
`requiredHeaders`	object	Header names and values to enforce.
`maxPayloadSize`	number	Max body size in bytes.
`metadata`	object	Opaque signed metadata.
`clockSkewTolerance`	number	Seconds (default often 300).
`algorithm`	string	`sha256` (default) or `sha512`.

Field	Type	Description
`signed_url`	string	URL with signature query parameters.
`expires_at`	number	Expiry Unix timestamp.
`signatureVersion`	string	e.g. `v1-sha256`.
`canonicalHash`	string	Debug hash of canonical input.
`constraintSummary`	object	Summary of embedded constraints.

Field	Type	Description
`signedUrl`	string	Required.
`secret`	string	Required.
`method`	string	Actual method used.
`clientIp`	string	Client IP for IP rules.
`headers`	object	Request headers for header rules.
`payloadSize`	number	Body size in bytes.
`verificationTime`	number	Optional time override (testing).

Code	Endpoint	HTTP	Description
`MISSING_URL`	/sign	400	`url` missing or empty
`MISSING_EXPIRATION`	/sign	400	Neither expiration nor TTL
`MISSING_SECRET`	both	400	`secret` required
`INVALID_TTL`	/sign	400	Invalid `expires_in_seconds`
`INVALID_URL`	both	400	Malformed URL
`UNSUPPORTED_SCHEME`	/sign	400	Not http/https
`MISSING_SIGNED_URL`	/verify	400	`signedUrl` missing
`SIGNING_ERROR`	/sign	400	Signing failed
`VERIFICATION_ERROR`	/verify	400	Verification failed

Playground

Pick a sample (or edit JSON), add your RapidAPI key. For verify, paste a real signed_url from a sign response first.

RapidAPI Key (required)

Sample

Request URL:

Request body (JSON)

Open listing on RapidAPI for full schemas and quotas.

Get code

Snippets use the playground JSON and path. Choose a language, Refresh code after edits.

Secrets are never echoed in successful sign responses; treat RapidAPI traffic as sensitive in logs.

Pricing & tiers (RapidAPI)

Illustrative tiers—confirm quotas and overage on the live listing.

Basic

$0/mo

100/month included

Pro

$9.99/mo

10,000/month included

Recommended

Ultra

$49.99/mo

100,000/month included

Mega

$99.99/mo

250,000/month included

If RapidAPI changes plans, the listing is authoritative.

What to expect

JSON bodies for both routes. 400 with structured errors for invalid input; 200 with signed_url or verification payload on success. See the README and RapidAPI reference for every field.

About

Also known as

Signed URL API, URL presigner, secure temporary link generator.

The URL Signature Presigner API packages HMAC signing and verification with deterministic canonicalization—so teams can issue and check presigned URLs without maintaining crypto plumbing in every service.

Frequently asked questions

No. Processing is stateless; secrets are not logged or returned in responses.
Default is HMAC-SHA256. Set algorithm to sha512 when you need SHA-512; the version marker in the URL reflects the choice.
Use expiration for an absolute time (Unix or ISO). Use expires_in_seconds for a TTL from “now” at sign time. Provide one, not both.
Not with stateless presigning alone—short TTLs and tight constraints limit exposure. Long-lived revocation needs your own allowlist outside this API.
On RapidAPI. This page shows indicative tiers (Basic through Mega); always confirm on the live listing.

Browse all APIs in the catalog →