oauth2-proxy/docs/versioned_docs/version-6.1.x/features/request_signatures.md

id	title
request_signatures	Request Signatures

If signature_key is defined, proxied requests will be signed with the GAP-Signature header, which is a Hash-based Message Authentication Code (HMAC) of selected request information and the request body see SIGNATURE_HEADERS in oauthproxy.go.

signature_key must be of the form algorithm:secretkey, (ie: signature_key = "sha1:secret0")

For more information about HMAC request signature validation, read the following:

• Amazon Web Services: Signing and Authenticating REST Requests
• rc3.org: Using HMAC to authenticate Web service requests