AWS Signature Version 4 signing, pared down to what R2 needs.
Header-based authorization (not presigned query strings), SHA-256 payload
hashing, path-style URLs. No chunked/streaming signature. The crypto is all
JDK-native (java.security, javax.crypto), so this carries no dependency.
sign is pure — timestamps are passed in rather than read from the clock —
which lets it be checked against AWS's published test vectors.
AWS Signature Version 4 signing, pared down to what R2 needs. Header-based authorization (not presigned query strings), SHA-256 payload hashing, path-style URLs. No chunked/streaming signature. The crypto is all JDK-native (`java.security`, `javax.crypto`), so this carries no dependency. `sign` is pure — timestamps are passed in rather than read from the clock — which lets it be checked against AWS's published test vectors.
(canonical-query-string query)Canonical (sorted, encoded) query string for query (a map). Empty for an
empty map. Matches the order used when building the real request URL.
Canonical (sorted, encoded) query string for `query` (a map). Empty for an empty map. Matches the order used when building the real request URL.
(presigned-url {:keys [method endpoint host path query expires region service
access-key-id secret-access-key amz-date date]})Build a presigned URL using SigV4 query-string authentication. The auth
parameters travel in the query string and only the host header is signed,
so the resulting URL works with a bare GET (download) or PUT (upload) and no
extra headers. :expires is the validity window in seconds.
Required keys: :method :endpoint :host :path :query :expires :region :service
:access-key-id :secret-access-key :amz-date :date (see sign). Returns the
full URL string.
Build a presigned URL using SigV4 query-string authentication. The auth parameters travel in the query string and only the `host` header is signed, so the resulting URL works with a bare GET (download) or PUT (upload) and no extra headers. `:expires` is the validity window in seconds. Required keys: :method :endpoint :host :path :query :expires :region :service :access-key-id :secret-access-key :amz-date :date (see `sign`). Returns the full URL string.
(sha256-hex data)Lowercase hex SHA-256 of data (a byte[]) — i.e. an x-amz-content-sha256
value.
Lowercase hex SHA-256 of `data` (a byte[]) — i.e. an `x-amz-content-sha256` value.
(sign {:keys [method host path query headers payload-hash region service
access-key-id secret-access-key amz-date date]})Compute SigV4 and return the headers to send. The result is headers plus
x-amz-date, x-amz-content-sha256, and the Authorization header.
Required keys:
:method HTTP method, e.g. "PUT"
:host request host (signed; the http client sends it itself)
:path path-style path, unencoded, e.g. "/bucket/key"
:query map of query params (may be empty)
:headers extra request headers to sign (string->string)
:payload-hash hex SHA-256 of the body (see sha256-hex)
:region :service SigV4 scope (service is "s3" for R2)
:access-key-id :secret-access-key
:amz-date :date timestamps ("yyyyMMdd'T'HHmmss'Z'" and "yyyyMMdd")
host, x-amz-date, and x-amz-content-sha256 are always signed; every
header in :headers is signed too, so callers needn't worry about which
x-amz-* headers S3 requires in the signature.
Compute SigV4 and return the headers to send. The result is `headers` plus
`x-amz-date`, `x-amz-content-sha256`, and the `Authorization` header.
Required keys:
:method HTTP method, e.g. "PUT"
:host request host (signed; the http client sends it itself)
:path path-style path, unencoded, e.g. "/bucket/key"
:query map of query params (may be empty)
:headers extra request headers to sign (string->string)
:payload-hash hex SHA-256 of the body (see `sha256-hex`)
:region :service SigV4 scope (service is "s3" for R2)
:access-key-id :secret-access-key
:amz-date :date timestamps ("yyyyMMdd'T'HHmmss'Z'" and "yyyyMMdd")
`host`, `x-amz-date`, and `x-amz-content-sha256` are always signed; every
header in `:headers` is signed too, so callers needn't worry about which
`x-amz-*` headers S3 requires in the signature.(uri-encode s encode-slash?)Percent-encode s per the AWS canonicalization rules: every byte outside the
unreserved set is %-escaped with uppercase hex. With encode-slash? false,
/ is left intact (used for the request path); query components encode it.
Percent-encode `s` per the AWS canonicalization rules: every byte outside the unreserved set is `%`-escaped with uppercase hex. With `encode-slash?` false, `/` is left intact (used for the request path); query components encode it.
cljdoc builds & hosts documentation for Clojure/Script libraries
| Ctrl+k | Jump to recent docs |
| ← | Move to previous article |
| → | Move to next article |
| Ctrl+/ | Jump to the search field |