How to use SHA-256 for API request signing

Many APIs — including AWS, Azure, and custom webhook systems — require you to include a SHA-256 hash of the request payload in the Authorization header or as a query parameter. This hash proves the payload was not modified after signing. The first step is always computing a plain SHA-256 hex digest of the request body. This guide explains the hashing step and how to verify it before wiring up the full signing logic.

Step-by-step guide

1. Prepare the canonical payload: Serialize your request body exactly as it will be sent — same JSON key order, same whitespace. Hashing a reformatted version of the payload will produce a different hash and cause authentication to fail.
2. Compute the SHA-256 hex digest: Paste the serialized payload, select SHA-256 and hex encoding. The resulting 64-character hex string is the content hash required by most signing specifications.
3. Include the hash in the request: For AWS SigV4, include it as the x-amz-content-sha256 header. For custom webhooks, check the API documentation — it is usually included in a Signature or X-Hub-Signature-256 header prefixed with 'sha256='.

Frequently asked questions

Should I use SHA-256 or HMAC-SHA256 for API auth?

The payload hash is plain SHA-256. The signature that proves authenticity is HMAC-SHA256 — it mixes a secret key into the computation. You typically compute SHA-256 of the payload first, then HMAC-SHA256 of a string that includes that hash.

What if the API expects an empty-body hash?

Hash an empty string. The SHA-256 of an empty string is always: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855.