> ## Documentation Index
> Fetch the complete documentation index at: https://docs.screenshotmax.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Signed Requests

> Generate signed requests for secure communication with ScreenshotMAX API

For additional security, you can authenticate GET requests using a **signed querystring**. This method ensures that the request has not been tampered with and comes from a trusted source.

<Warning>Signed requests are only supported for **GET requests.**</Warning>

## What is a Signed Request?

A signed request uses your **secret key** to generate a SHA-256 hash of the querystring. This hash is then included in the request as a signature parameter.
When our servers receive the request, they verify the signature using the same secret key.

## Your Secret Key

* Your `secret_key` is **unique to your account**.
* It is **only visible in your dashboard**.
* **Never share your secret key publicly**.
* You can **rotate your secret key** at any time via the dashboard.

<Warning>If your secret key is exposed or compromised, rotate it immediately.</Warning>

## Enforce Signed GET Requests

From your dashboard, you can enforce signature validation for all GET requests by enabling the option:
**“Accept only signed requests”**

Once enabled:

* Any unsigned GET request will be rejected.
* This setting does **not** affect POST or other non-GET requests.
* You can toggle this option from the Access Control Management section in your [dashboard](https://app.screenshotmax.com/access).

## How to Sign a Request

### 1. Start with your full querystring (everything after the ?)

Example of querystring:

```
url=https://example.com&access_key=YOUR_ACCESS_KEY
```

### 2. Do not include the signature parameter (yet)!

### 3. Compute the SHA-256 HMAC of the querystring using your `secret_key`

Node.js Example

```js theme={null}
const crypto = require("crypto");

const queryString = "url=https://example.com&access_key=YOUR_ACCESS_KEY";
const secretKey = "YOUR_SECRET_KEY";

const signature = crypto
  .createHmac("sha256", secretKey)
  .update(queryString)
  .digest("hex");

console.log(signature);
```

Python Example

```python theme={null}
import hmac
import hashlib

query_string = "url=https://example.com&access_key=YOUR_ACCESS_KEY"
secret_key = b"YOUR_SECRET_KEY"  # must be bytes

signature = hmac.new(secret_key, query_string.encode("utf-8"), hashlib.sha256).hexdigest()

print(signature)
```

### 4. Add the signature parameter to your final querystring

```
?url=https://example.com&access_key=YOUR_ACCESS_KEY&signature=computed_signature
```

## Rotating the Secret Key

Just like the `access_key`, you can rotate your `secret_key` from your dashboard.
After rotation:

* A new secret key will be generated.
* The old one will become invalid.
* Make sure to update all your signing logic with the new key.

Example (Full URL)

```
GET https://api.screenshotmax.com/v1/screenshot
?url=https://example.com
&access_key=YOUR_ACCESS_KEY
&signature=2f3a5c9d...
```

<Warning>
  #### Important Notes

  * The **order** of query parameters must be **preserved** exactly when generating the signature.
  * **Do not include the signature parameter itself** in the string you hash.
  * Only use this method for **GET** requests. It is not supported for POST or other methods.
</Warning>

## Test Your Signature

We recommend verifying your implementation in a development environment before going live.

## Why Use Signed Requests?

Signed requests add an extra layer of protection, ensuring:

* The request hasn’t been modified in transit.
* The request originates from a trusted client with access to the secret key.
* You can optionally enforce this behavior for all GET calls to your API.

Need help? Contact us at [support@screenshotmax.com](mailto:support@screenshotmax.com)