Signed Requests

Sign your API requests to safely embed screenshot URLs in public-facing pages without exposing your API key.

Why Sign Requests?

When you embed a screenshot URL in a public webpage, anyone can see your access key. They could reuse it to consume your quota. Signed requests solve this by requiring both your access key and secret key to generate valid URLs.

How It Works

  1. Construct your query string with all parameters
  2. Compute an HMAC-SHA256 hash using your secret key
  3. Append the signature to your URL

Signing Algorithm

Important: Do not sort the parameters. Send them in the same order you used to generate the signature.

Step 1: Build the Query String

access_key=YOUR_ACCESS_KEY&url=https://example.com&format=png

Step 2: Compute HMAC-SHA256

# Using OpenSSL
echo -n "access_key=YOUR_ACCESS_KEY&url=https://example.com&format=png" | openssl sha256 -hmac "YOUR_SECRET_KEY"

# Output: abc123def456...

Step 3: Append Signature

https://api.lambdashot.com/take?access_key=YOUR_ACCESS_KEY&url=https://example.com&format=png&signature=abc123def456...

Code Examples

JavaScript

async function signRequest(params, secretKey) {
  const queryString = new URLSearchParams(params).toString();

  const encoder = new TextEncoder();
  const key = await crypto.subtle.importKey(
    'raw',
    encoder.encode(secretKey),
    { name: 'HMAC', hash: 'SHA-256' },
    false,
    ['sign']
  );

  const signature = await crypto.subtle.sign(
    'HMAC',
    key,
    encoder.encode(queryString)
  );

  const hex = Array.from(new Uint8Array(signature))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');

  return `https://api.lambdashot.com/take?${queryString}&signature=${hex}`;
}

// Usage
const url = await signRequest({
  access_key: 'YOUR_ACCESS_KEY',
  url: 'https://example.com',
  format: 'png'
}, 'YOUR_SECRET_KEY');

console.log(url);

Python

import hmac
import hashlib
from urllib.parse import urlencode

def sign_request(params, secret_key):
    query_string = urlencode(params)
    signature = hmac.new(
        secret_key.encode(),
        query_string.encode(),
        hashlib.sha256
    ).hexdigest()

    return f"https://api.lambdashot.com/take?{query_string}&signature={signature}"

# Usage
url = sign_request({
    'access_key': 'YOUR_ACCESS_KEY',
    'url': 'https://example.com',
    'format': 'png'
}, 'YOUR_SECRET_KEY')

print(url)

PHP

function signRequest(array $params, string $secretKey): string {
    $queryString = http_build_query($params);
    $signature = hash_hmac('sha256', $queryString, $secretKey);

    return "https://api.lambdashot.com/take?{$queryString}&signature={$signature}";
}

// Usage
$url = signRequest([
    'access_key' => 'YOUR_ACCESS_KEY',
    'url' => 'https://example.com',
    'format' => 'png'
], 'YOUR_SECRET_KEY');

echo $url;

Enable Signing Requirement

You can enforce signed requests in your dashboard settings. Once enabled, unsigned requests with your access key will be rejected.

Video Recording

Signed requests work with the /animate endpoint too. Just use the same signing process with the animate URL: 

https://api.lambdashot.com/animate?access_key=...&url=...&signature=...

Security Notes

  • Never expose your secret key in client-side code
  • Generate signed URLs on your server
  • Consider using short cache TTLs for signed URLs
  • Rotate your keys periodically via the dashboard