Community Python Snippet

Signed URL Generator With HMAC

The 60-line HMAC-signed URL helper I use for download links and webhook callbacks. Stdlib only, constant-time verification, expiry baked in, and no S3 dependency to debug at 2 a.m.

Signed URL Generator With HMAC

The 60-line HMAC-signed URL helper I use for download links and webhook callbacks. Stdlib only, constant-time verification, expiry baked in, and no S3 dependency to debug at 2 a.m.

Python
Compiler
3 snippets
presigned-urls
security
hashing
utility
samirakumar

By @samirakumar

December 15, 2025

·

Updated May 18, 2026

604 views

8

4.5 (9)

The whole signed-URL pattern reduces to two ideas: pick an expires timestamp, then HMAC the canonical string path?expires=<ts>. I use urlsafe_b64encode and strip the trailing = padding so the signature drops cleanly into a query parameter without re-escaping. The secret is 32 random bytes generated once and stored in your secrets manager; never derive it from a username, the URL, or anything an attacker can replay. Including expires in the signed string is non-negotiable because it is the only thing stopping someone who saw one URL from minting a permanent one.