Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Likewise, just as with the Digest scheme, the key is never included in authenticated requests.Similar to the HTTP Digest access authentication schemes, Hawk uses a set of client credentials which include an identifier (e.g. Instead, it is used to calculate a request MAC value which is included in its place. In particular, while both use a nonce to limit the possibility of replay attacks, in Hawk the client generates the nonce and uses it in combination with a timestamp, leading to less "chattiness" (interaction with the server).Also unlike Digest, this scheme is not intended to protect the key itself (the password in Digest) because the client and server must both have access to the key material in the clear.
Hawk is an HTTP authentication scheme using a message authentication code (MAC) algorithm to provide partial HTTP request cryptographic verification.
For more complex use cases such as access delegation, see Oz.
Current version: 5.x Note: 5.x, 4.x, 3.x, and 2.x are the same exact protocol as 1.1.
The version increments reflect changes in the node API.
This gives the server enough information to prevent replay attacks.
The nonce is generated by the client, and is a string unique across all requests with the same timestamp and key identifier combination.
The timestamp enables the server to restrict the validity period of the credentials where requests occurring afterwards are rejected.
The Hawk scheme requires the establishment of a shared symmetric key between the client and the server, which is beyond the scope of this module.
Typically, the shared credentials are established via an initial TLS-protected phase or derived from some other shared confidential information available to both the client and the server.