How do I sign a URL for a Laravel route using spatie/laravel-url-signer?

Use the `UrlSigner` facade to sign any URL, including Laravel routes. For example, `UrlSigner::sign('https://app.com/route', now()->addHours(1))` generates a signed URL with an expiration timestamp and HMAC signature. The output appends `?expires=...&signature=...` to the URL.

Can I use this package to sign URLs for external services like Stripe or AWS S3?

Yes, this package isn’t limited to Laravel routes. Sign any external URL (e.g., Stripe payment links or S3 pre-signed URLs) by passing the full URL to `UrlSigner::sign()`. The validation works the same way, regardless of the domain.

What Laravel versions does spatie/laravel-url-signer support?

The package officially supports Laravel 8.x, 9.x, and 10.x. It leverages Laravel’s service container and facades, so it integrates seamlessly with modern Laravel applications. Check the [GitHub repo](https://github.com/spatie/laravel-url-signer) for version-specific notes.

How do I configure the signing secret for production?

Store the signing secret in your `.env` file (e.g., `URL_SIGNER_SECRET=your_secure_key`). Avoid hardcoding it. For high-security environments, use a secrets manager like AWS Secrets Manager or HashiCorp Vault, and fetch the secret dynamically in your configuration.

Does this package work with Lumen or non-Laravel PHP applications?

The package is Laravel-specific, but the underlying `spatie/signed-url` library can be used standalone in PHP 8.0+. For Lumen, install the Laravel package and adapt the service provider registration. Non-Laravel use requires manual initialization of the `UrlSigner` class with your preferred secret.

How do I validate a signed URL in a Laravel controller or middleware?

Use `UrlSigner::validate($signedUrl)` to check if the URL is valid. This returns `true` if the signature matches and the URL hasn’t expired. For middleware, wrap the validation in a try-catch block to handle invalid URLs gracefully (e.g., redirect to a 403 page).

What happens if the signed URL exceeds the HTTP character limit?

Signed URLs append `?expires=...&signature=...`, which can exceed HTTP/HTTPS length limits (~2000 chars). Mitigate this by shortening expiration windows (e.g., hours instead of days) or using URL shorteners. For long-lived resources, consider generating a short-lived token server-side and redirecting.

Can I use this package to protect API endpoints instead of routes?

Yes, sign API URLs (e.g., `/api/download?file=123`) and validate them in middleware. This is useful for sharing time-bound API access across microservices or third-party clients. The package’s `validate()` method works identically for API and web routes.

How do I rotate the signing secret without breaking existing URLs?

Rotate secrets by updating the `.env` or config file and regenerating all signed URLs. Existing URLs signed with the old secret remain valid until their expiration time. For critical systems, implement a grace period where both old and new secrets are accepted during validation.

Are there alternatives to spatie/laravel-url-signer for signed URLs in Laravel?

Laravel’s native `signed` route helper is simpler but ties signing to the `APP_KEY` and only works for Laravel routes. For cross-app or external URL signing, this package is a better fit. Other alternatives include custom HMAC implementations or packages like `graham-campbell/signed-url`, but they lack Laravel-specific integrations.

Weave Code

Code Weaver

Helps Laravel developers discover, compare, and choose open-source packages. See popularity, security, maintainers, and scores at a glance to make better decisions.

Laravel Url Signer Laravel Package

spatie/laravel-url-signer

Sign and validate any URL in Laravel with an expiring signature. Works across apps, uses a configurable secret (not the app key), and includes middleware to protect routes. Generate time-limited links in one call and verify them anywhere.

View on GitHub

Deep Wiki

Context7

Create and validate signed URLs with a limited lifetime

Frequently asked questions about Laravel Url Signer

How do I sign a URL for a Laravel route using spatie/laravel-url-signer?: Use the `UrlSigner` facade to sign any URL, including Laravel routes. For example, `UrlSigner::sign('https://app.com/route', now()->addHours(1))` generates a signed URL with an expiration timestamp and HMAC signature. The output appends `?expires=...&signature=...` to the URL.
Can I use this package to sign URLs for external services like Stripe or AWS S3?: Yes, this package isn’t limited to Laravel routes. Sign any external URL (e.g., Stripe payment links or S3 pre-signed URLs) by passing the full URL to `UrlSigner::sign()`. The validation works the same way, regardless of the domain.
What Laravel versions does spatie/laravel-url-signer support?: The package officially supports Laravel 8.x, 9.x, and 10.x. It leverages Laravel’s service container and facades, so it integrates seamlessly with modern Laravel applications. Check the [GitHub repo](https://github.com/spatie/laravel-url-signer) for version-specific notes.
How do I configure the signing secret for production?: Store the signing secret in your `.env` file (e.g., `URL_SIGNER_SECRET=your_secure_key`). Avoid hardcoding it. For high-security environments, use a secrets manager like AWS Secrets Manager or HashiCorp Vault, and fetch the secret dynamically in your configuration.
Does this package work with Lumen or non-Laravel PHP applications?: The package is Laravel-specific, but the underlying `spatie/signed-url` library can be used standalone in PHP 8.0+. For Lumen, install the Laravel package and adapt the service provider registration. Non-Laravel use requires manual initialization of the `UrlSigner` class with your preferred secret.
How do I validate a signed URL in a Laravel controller or middleware?: Use `UrlSigner::validate($signedUrl)` to check if the URL is valid. This returns `true` if the signature matches and the URL hasn’t expired. For middleware, wrap the validation in a try-catch block to handle invalid URLs gracefully (e.g., redirect to a 403 page).
What happens if the signed URL exceeds the HTTP character limit?: Signed URLs append `?expires=...&signature=...`, which can exceed HTTP/HTTPS length limits (~2000 chars). Mitigate this by shortening expiration windows (e.g., hours instead of days) or using URL shorteners. For long-lived resources, consider generating a short-lived token server-side and redirecting.
Can I use this package to protect API endpoints instead of routes?: Yes, sign API URLs (e.g., `/api/download?file=123`) and validate them in middleware. This is useful for sharing time-bound API access across microservices or third-party clients. The package’s `validate()` method works identically for API and web routes.
How do I rotate the signing secret without breaking existing URLs?: Rotate secrets by updating the `.env` or config file and regenerating all signed URLs. Existing URLs signed with the old secret remain valid until their expiration time. For critical systems, implement a grace period where both old and new secrets are accepted during validation.
Are there alternatives to spatie/laravel-url-signer for signed URLs in Laravel?: Laravel’s native `signed` route helper is simpler but ties signing to the `APP_KEY` and only works for Laravel routes. For cross-app or external URL signing, this package is a better fit. Other alternatives include custom HMAC implementations or packages like `graham-campbell/signed-url`, but they lack Laravel-specific integrations.

View on GitHub

Stars

718

Favorites

725

Forks

Score

32.1

License

MIT

Last release

Feb 22, 2026

Watchers

Downloads

19K/mo

Dependents

Open issues

Weaver

How can I help you explore Laravel packages today?

Conversation history is not saved when not logged in.

Add packages to context

No packages found.

davejamesmiller/laravel-breadcrumbs

artisanry/parsedown

christhompsontldr/phpsdk

enqueue/dsn

bunny/bunny

enqueue/test

enqueue/null

enqueue/amqp-tools

milesj/emojibase

bower-asset/punycode

bower-asset/inputmask

bower-asset/jquery

bower-asset/yii2-pjax

laravel/nova

spatie/laravel-mailcoach

spatie/laravel-superseeder

laravel/liferaft

nst/json-test-suite

danielmiessler/sec-lists

jackalope/jackalope-transport