Signed validation adds an HMAC signature to validate responses, letting you verify that the payload has not been modified after it left KeyPort.
Requirements
Signed validation is an Enterprise feature. Both of the following must be true for a signature to be generated:
- Signed validation is enabled on your product
- Signed validation is enabled on your organization
If either side is off, the signature field returns null.
The signature field
An HMAC digest of the validate response payload. Returns null if signed validation is not enabled on both the product and organization.
{
"valid": true,
"license_key": "YOUR_LICENSE_KEY",
"signature": "hex_hmac_digest"
}
Verifying the signature
Use your signing secret from the KeyPort dashboard to verify the signature in your application. The example below shows how to verify in Node.js:
import crypto from "crypto";
function verifySignature(
payload: object,
receivedSignature: string,
secret: string
): boolean {
// Serialize the payload the same way KeyPort does
const data = JSON.stringify(payload);
const expectedSignature = crypto
.createHmac("sha256", secret)
.update(data)
.digest("hex");
// Use a timing-safe comparison to prevent timing attacks
return crypto.timingSafeEqual(
Buffer.from(receivedSignature, "hex"),
Buffer.from(expectedSignature, "hex")
);
}
Always use a timing-safe comparison (like crypto.timingSafeEqual) when comparing signatures. A standard string equality check is vulnerable to timing attacks.
When to use signed validation
Use signed validation when your application processes the validate response outside a trusted server environment — for example, when a response is passed through a client or stored temporarily. The signature lets you confirm the payload is exactly what KeyPort returned. 