Hawk(ish) Bewit — Signed Links

A loose implementation of Hawk Bewit in Kotlin multi-platform, supporting JVM, Android, iOS, and JavaScript.

While Hawk never gained wide traction as an HTTP authentication scheme, we still find common need for an S3-style URI authorization scheme, in which a URI can be:

1. signed to validate that it has not been tampered with, and

2. set to expire.

Hawk bewits serve this purpose well, without re-inventing the wheel.

However, this is a single-purpose library inspired by Hawk, not a full hawk-compatible implementation. Bewits generated by this library are not compatible with bewits generated by other Hawk-compatible libraries:

• we do not implement the header-mode and the dlg, app and ext attributes

• we do validate the URL scheme to protect against protocol downgrade attacks

• the hawk version is set to 1a, not 1 to indicate incompatibility with Hawk

Use Cases

1. Sign resource links, like images, for temporary access from locations that do not support the underlying site auth protocol e.g. clipboards and external applications.

2. Sign links sent to users out of band e.g. emails.

3. Sign links sent to 3rd parties to easily access some resource for a limited time.

4. etc.

Java Compatibility

Java code should be able to use this implementation as well, but that has not been well tested. PRs to improve Java compatibility will be accepted.