Signed Requests
Generate tamper-proof signed URLs so the capture endpoint can be called from the browser without exposing your API key.
Generate the signature server-side and send the signed URL to the client. The client never sees your API key.
How signing works
- Collect all capture parameters. Do not include
access_keyorsignatureitself. - Sort them alphabetically by key.
- Encode as a standard query string:
key1=val1&key2=val2(PHPhttp_build_querystyle, spaces become+). - Compute HMAC-SHA256 of that string using your API key's signing secret (visible on the API Keys page) as the HMAC secret.
- Pass
access_keyandsignature=HEX_DIGESTas additional query parameters.
Any parameter change invalidates the signature.
Parameters
| Name | Type | Required | Description |
|---|---|---|---|
signature | string | required | HMAC-SHA256 hex digest of the sorted query string (computed server-side using your API key's signing secret, not the key itself). |
Code Examples
import { createHmac } from 'node:crypto';
import { stringify } from 'node:querystring'; // produces + for spaces, matching PHP
// Server-side only: never expose your signing secret in the browser
function signUrl(captureParams, accessKey, signingSecret) {
// Sort params, do NOT include access_key or signature in the signed string
const sorted = Object.fromEntries(
Object.entries(captureParams).sort(([a], [b]) => a.localeCompare(b))
);
const qs = stringify(sorted); // e.g. "format=png&url=https%3A..."
const signature = createHmac('sha256', signingSecret).update(qs).digest('hex');
return `https://screenshotcore.com/api/v1/screenshot?${qs}&access_key=${accessKey}&signature=${signature}`;
}
const url = signUrl(
{ url: 'https://example.com', format: 'png' },
'YOUR_API_KEY',
'YOUR_SIGNING_SECRET', // visible on the API Keys page
);
console.log(url); // safe to embed in HTML or send to the browserResponse
(Raw PNG bytes, Content-Type: image/png)