AWS Signature Version 4 Request Signer and Explainer - Visualize SigV4 Signing Step by Step

First Published:
Last Updated:

Compute an AWS Signature Version 4 (SigV4) signature and watch every stage of the signing process - canonical request, string to sign, signing key derivation, signature, and the final Authorization header - entirely in your browser.

All processing is performed entirely in your browser using client-side JavaScript. No data is transmitted to any server. Your access keys never leave your device, are not stored, and the signed request is never sent.

  • This tool is provided "AS IS" without any warranties of any kind.
  • Do not paste production secret access keys. Use temporary or dummy credentials.
  • Your access keys are processed locally only - they are never transmitted and never saved to storage.
  • This tool computes a signature for learning and debugging. It does not send the signed request to AWS.
  • By using this tool, you accept full responsibility for any outcomes.

This tool uses client-side JavaScript for all processing. No data is transmitted to servers, no files are uploaded online, all processing happens locally in your browser. Once loaded, this tool continues to work even without an internet connection. For more details, please refer to our Web Tools Disclaimer.

Examples

Load a preset request signed with AWS public dummy credentials. The signature is computed automatically. The S3 GET Object preset reproduces the signature from the official AWS worked example.

Request Details

Format: YYYYMMDDTHHMMSSZ, for example 20130524T000000Z.
The host header is taken from the URL automatically. Include any query parameters after the question mark.
For example us-east-1, ap-northeast-1.
For example s3, ec2, execute-api, dynamodb.
Never paste a production secret key. This field is processed locally only.
When set, x-amz-security-token is added to the signed headers.
Include x-amz-content-sha256 (required for S3)
host and x-amz-date are added automatically. Add content-type and any x-amz-* headers you want to sign here.
Leave empty for GET or HEAD requests. The SHA-256 hash of an empty body is used automatically.

Signing Steps

1Canonical Request

Method, canonical URI, canonical query string, canonical headers, signed headers, and the hashed payload - joined by newline characters.


    

2Hash of the Canonical Request

Lowercase hexadecimal SHA-256 digest of the canonical request.


    

3String to Sign

Algorithm (AWS4-HMAC-SHA256), the request timestamp, the credential scope (date/region/service/aws4_request), and the canonical request hash.


    

4Signing Key Derivation

A chain of HMAC-SHA256 operations seeded with "AWS4" + your secret key, then scoped by date, Region, service, and the aws4_request terminator.


    

5Signature

HMAC-SHA256 of the string to sign using the derived signing key, in lowercase hexadecimal.


    

6Authorization Header

The completed Authorization header value to send with the request.


    

Signed Request Headers

The exact set of headers that were included in the signature. Send these together with the Authorization header above.


    

curl Command (not sent)

A ready-to-copy curl command. This tool does not run it - copy it and run it yourself if you choose to.


    

Features

  • Step-by-step explainer: See the canonical request, its hash, the string to sign, the signing key chain (kDate, kRegion, kService, kSigning), the signature, and the Authorization header - each in its own copyable box.
  • Faithful to the official process: Implements AWS Signature Version 4 exactly as documented in the AWS IAM User Guide, including canonical URI and query encoding, header normalization, and credential scope.
  • Validated against the official example: The S3 GET Object preset reproduces the signature published in the AWS worked example.
  • Examples included: S3 GET Object, EC2 DescribeInstances (query string), and an API request with a JSON body - all using AWS public dummy credentials.
  • Temporary credentials supported: Add a session token to sign with x-amz-security-token, or use UNSIGNED-PAYLOAD for S3.
  • Fully client-side: Uses the self-hosted CryptoJS library for SHA-256 and HMAC-SHA256. No network calls, no data sent, nothing stored.
  • Accessible UI: Labelled form controls, 44px minimum touch targets, and WCAG AA contrast.

How to Use

  1. (Optional) Click an Example to load a preset request, or fill in the fields yourself.
  2. Choose the HTTP method, enter the full Request URL (including any query string), the Region, and the service code.
  3. Set the Timestamp (or click Now (UTC)) and enter an Access Key ID and Secret Access Key - use dummy or temporary credentials only.
  4. Add any Additional Headers and a Request Body if needed, and choose how the payload hash is computed.
  5. Click Compute Signature and read each signing stage in order. Use the Copy buttons to copy any stage, the Authorization header, the signed headers, or the curl command.

About This Tool

AWS Signature Version 4 (SigV4) is the process AWS uses to authenticate API requests. The caller derives a signing key from their secret access key and uses it to sign a canonical representation of the request; AWS recomputes the same signature on its side and rejects the request if the two do not match. This tool reproduces that process entirely in your browser so you can see exactly how a request is signed, without sending anything to AWS.

The signing flow is shown in six stages: (1) the Canonical Request normalizes the method, URI, query string, headers, signed-header list, and payload hash into a single string; (2) that string is hashed with SHA-256; (3) the String to Sign combines the algorithm, timestamp, and credential scope (date / Region / service / aws4_request) with that hash; (4) the signing key is derived through the HMAC chain kDate → kRegion → kService → kSigning; (5) the Signature is the HMAC-SHA256 of the String to Sign with that key; and (6) the Authorization header assembles the credential, signed-header list, and signature for the request. The tool also builds an equivalent curl command, which it never executes.

The algorithm follows the AWS IAM User Guide and was verified against AWS's published Amazon S3 GET Object worked example as of 2026-06-23: the tool reproduces the documented signature exactly. SigV4 details and service-specific behavior (for example, single vs. double URI encoding) can change over time - confirm against the current AWS documentation before relying on a signature for production debugging.

Frequently Asked Questions

What is the credential scope?
The credential scope is YYYYMMDD/region/service/aws4_request. It appears in the string to sign and is also used to derive the signing key, which restricts the resulting signature to a specific date, Region, and service. The Region and service codes must be lowercase.

Why does my signature differ from the one AWS computed?
The most common causes are: the timestamp does not match the x-amz-date header (or is outside the allowed clock skew); the set of signed headers differs; header values were not normalized (lowercased names, trimmed values, collapsed spaces, sorted); the payload hash does not match the body; or the Region or service code is not lowercase. Header and query ordering must be exactly as specified.

Is my secret access key sent anywhere?
No. The signature is computed entirely in your browser with the CryptoJS library. There are no network requests, and nothing is written to localStorage or cookies. Still, treat secret keys as sensitive and use temporary or dummy credentials with this tool.

What are UNSIGNED-PAYLOAD and x-amz-content-sha256?
Amazon S3 requires an x-amz-content-sha256 header that carries the SHA-256 hash of the payload (the hash of an empty string for requests with no body). For large or streaming uploads you can set the literal value UNSIGNED-PAYLOAD as both the hashed payload in the canonical request and the header value.

Does this tool support SigV4A (multi-Region)?
No. This tool implements SigV4 (AWS4-HMAC-SHA256). SigV4A uses AWS4-ECDSA-P256-SHA256 (ECDSA over the NIST P-256 curve) with an X-Amz-Region-Set header and a credential scope that omits the Region. AWS SDKs and the CLI switch to SigV4A automatically for Amazon S3 Multi-Region Access Points.

Related Tools

Related Articles

Important Notes

  • This tool computes AWS Signature Version 4 entirely in your browser for learning and debugging, following the official signing process as of 2026-06-23. Your access keys are never sent anywhere and are not stored. Do not paste production secret keys; use temporary or dummy credentials. This tool does not send the signed request.
  • This tool implements SigV4 (AWS4-HMAC-SHA256). SigV4A (AWS4-ECDSA-P256-SHA256) is out of scope.
  • The canonical URI path is URI-encoded once, which matches the AWS IAM reference and the Amazon S3 worked example. A few non-S3 services historically double-encode the path, so a signature for those services may differ.
  • When you send a real request, AWS rejects timestamps outside an allowed clock skew window. The date in the credential scope must match the date in x-amz-date.
  • Source of the signing process: AWS IAM User Guide, Create a signed AWS API request and Elements of an AWS API request signature (verified 2026-06-23).

Third-Party Libraries

CryptoJS v4.2.0
Copyright (c) 2009-2013 Jeff Mott
Copyright (c) 2013-2016 Evan Vosberg
Licensed under MIT License. Used for SHA-256 and HMAC-SHA256.
GitHub Repository


References:
Tech Blog with curated related content
Web Tools Collection

Written by Hidekazu Konishi