Hawk HTTP Authorization for Django Rest Framework.

Latest PyPI release PyPI monthly download stats Travis master branch status Documentation status

Hawk lets two parties securely communicate with each other using messages signed by a shared key. It is based on HTTP MAC access authentication (which was based on parts of OAuth 1.0).

HawkREST uses the mohawk module to add Hawk authorization to your REST API views.

This guide will help you set everything up but you should also read through mohawk security considerations to get familiar with the security aspects of Hawk.



(Older versions of these libraries may work, but support is not guaranteed.)

Using pip, install the module like this:

pip install hawkrest

This will also install all necessary dependencies. You’ll most likely put this in a requirements file within your Django app.

The source code is available at https://github.com/kumar303/hawkrest


You can report issues at https://github.com/kumar303/hawkrest



If you’re upgrading from a version prior to 0.0.6, be sure to use rest_framework.permissions.IsAuthenticated on your views as documented

  • 1.0.1 (2018-10-06) - Added support for being used via Django 1.11’s new MIDDLEWARE option. - Fixed the hawkrequest management command when using newer Django/Python. - Fixed inconsistency between the way the middleware and authentication

    backend determined whether a request was a Hawk signed request.

  • 1.0.0 (2017-04-05)

    • Added support for a HAWK_USER_LOOKUP setting. See Usage.
    • Added hooks to make subclassing HawkAuthentication easier. See Usage.
    • Dropped support for Django 1.6/1.7.
    • Dropped support for django-rest-framework 3.2/3.3.
    • Confirmed support for django-rest-framework 3.4/3.5.
    • Added support for Django 1.10/1.11.
    • Started using semantic versioning.
  • 0.0.10 (2016-06-01)

    • Adds support for Django 1.9.
  • 0.0.9 (2016-01-07)

    • Adds more specific AuthenticationFailed errors.
  • 0.0.8 (2015-10-01)

    • Fixes issue #11 where exception info was leaked to the response, potentially revealing sensitive information.
  • 0.0.7 (2015-09-30)

    • Fixes issue #9 where using rest_framework.permissions.IsAuthenticated on your Hawk protected view caused an unexpected traceback.
  • 0.0.6 (2015-09-08)

    • IMPORTANT: If migrating to this version from an earlier version of hawkrest, your Django Rest Framework API views must require an authenticated user as documented. In other words, older versions of hawkrest would reject any request that didn’t have a Hawk authentication header but this version does not (see the bug fix below).
    • Fixed bug where other HTTP authorization schemes could not be supported at the same time as Hawk. Thanks to Mauro Doglio for the patch.
    • Fixed incorrect statement in docs that Python 2.6 was supported. Only 2.7 or greater is supported at this time.
    • Sends WWW-Authenticate: Hawk header in 401 responses now.
  • 0.0.5 (2015-07-21)

  • 0.0.4 (2015-06-24)

    • Fixed nonce callback support for mohawk 0.3.0. Thanks to Josh Wilson for the patches.
  • 0.0.3 (2015-01-05)

    • Fixed traceback when cache setting is undefined. Thanks to wolfgangmeyers for the patch.
  • 0.0.2 (2014-03-03)

    • Added support for Python 3.3 and greater
    • Added support for Python 2.6
  • 0.0.1 (2014-02-27)

Indices and tables