Customize Signature Methods

The AuthorizationServer and ResourceProtector only support HMAC-SHA1 signature method by default. There are three signature methods built-in, which can be enabled with the configuration:


It is also possible to extend the signature methods. For example, you want to create a HMAC-SHA256 signature method:

import hmac
from authlib.common.encoding import to_bytes
from authlib.specs.rfc5849 import signature

def verify_hmac_sha256(request):
    text = signature.generate_signature_base_string(request)

    key = escape(request.client_secret or '')
    key += '&'
    key += escape(request.token_secret or '')

    sig =, to_bytes(text), hashlib.sha256)
    return binascii.b2a_base64(sig.digest())[:-1]

    'HMAC-SHA256', verify_hmac_sha256
    'HMAC-SHA256', verify_hmac_sha256

Then add this method into SUPPORTED_SIGNATURE_METHODS:


With this configuration, your server will support HMAC-SHA256 signature method only. If you want to support more methods, add them to the list.