> ## Documentation Index
> Fetch the complete documentation index at: https://docs.keyport.sbs/llms.txt
> Use this file to discover all available pages before exploring further.

# Signed Validation

> Verify the integrity of validate responses with HMAC signatures.

Signed validation adds an HMAC signature to validate responses, letting you verify that the payload has not been modified after it left KeyPort.

## Requirements

Signed validation is an Enterprise feature. Both of the following must be true for a signature to be generated:

* Signed validation is enabled on your **product**
* Signed validation is enabled on your **organization**

If either side is off, the `signature` field returns `null`.

## The `signature` field

<ResponseField name="signature" type="string | null">
  An HMAC digest of the validate response payload. Returns `null` if signed validation is not enabled on both the product and organization.
</ResponseField>

```json theme={"theme":{"light":"github-light","dark":"github-dark"}}
{
  "valid": true,
  "license_key": "YOUR_LICENSE_KEY",
  "signature": "hex_hmac_digest"
}
```

## Verifying the signature

Use your signing secret from the KeyPort dashboard to verify the signature in your application. The example below shows how to verify in Node.js:

```typescript theme={"theme":{"light":"github-light","dark":"github-dark"}}
import crypto from "crypto";

function verifySignature(
  payload: object,
  receivedSignature: string,
  secret: string
): boolean {
  // Serialize the payload the same way KeyPort does
  const data = JSON.stringify(payload);

  const expectedSignature = crypto
    .createHmac("sha256", secret)
    .update(data)
    .digest("hex");

  // Use a timing-safe comparison to prevent timing attacks
  return crypto.timingSafeEqual(
    Buffer.from(receivedSignature, "hex"),
    Buffer.from(expectedSignature, "hex")
  );
}
```

<Warning>
  Always use a timing-safe comparison (like `crypto.timingSafeEqual`) when comparing signatures. A standard string equality check is vulnerable to timing attacks.
</Warning>

## When to use signed validation

Use signed validation when your application processes the validate response outside a trusted server environment — for example, when a response is passed through a client or stored temporarily. The signature lets you confirm the payload is exactly what KeyPort returned.
