SubtleCrypto.sign()
Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.
The sign()
method of the SubtleCrypto
interface generates a digital signature.
It takes as its arguments a key to sign with, some algorithmspecific
parameters, and the data to sign. It returns a Promise
which will be
fulfilled with the signature.
You can use the corresponding SubtleCrypto.verify()
method to verify the
signature.
Syntax
sign(algorithm, key, data)
Parameters
algorithm

A string or object that specifies the signature algorithm to use and its parameters:

To use RSASSAPKCS1v1_5, pass the string
"RSASSAPKCS1v1_5"
or an object of the form{ "name": "RSASSAPKCS1v1_5" }
.  To use RSAPSS, pass an
RsaPssParams
object.  To use ECDSA, pass an
EcdsaParams
object. 
To use HMAC, pass the string
"HMAC"
or an object of the form{ "name": "HMAC" }
.

To use RSASSAPKCS1v1_5, pass the string
key

A
CryptoKey
object containing the key to be used for signing. Ifalgorithm
identifies a publickey cryptosystem, this is the private key. data

An
ArrayBuffer
, aTypedArray
or aDataView
object containing the data to be signed.
Return value
A Promise
that fulfills with an
ArrayBuffer
containing the signature.
Exceptions
The promise is rejected when the following exception is encountered:
InvalidAccessError
DOMException

Raised when the signing key is not a key for the request signing algorithm or when trying to use an algorithm that is either unknown or isn't suitable for signing.
Supported algorithms
The Web Crypto API provides four algorithms that can be used for signing and signature verification.
Three of these algorithms — RSASSAPKCS1v1_5, RSAPSS, and ECDSA — are
publickey cryptosystems that use the private
key for signing and the public key for verification.
These systems all use a digest algorithm
to hash the message to a short fixed size before signing.
Except for ECDSA (for which it is passed in the algorithm
object), the choice of digest algorithm is passed into the
generateKey()
or importKey()
functions.
The fourth algorithm — HMAC — uses the same algorithm and key for signing and for verification: this means that the verification key must be kept secret, which in turn means that this algorithm is not suitable for many signature use cases. It can be a good choice however when the signer and verifier are the same entity.
RSASSAPKCS1v1_5
The RSASSAPKCS1v1_5 algorithm is specified in RFC 3447.
RSAPSS
The RSAPSS algorithm is specified in RFC 3447.
It's different from RSASSAPKCS1v1_5 in that it incorporates a random salt in the
signature operation, so the same message signed with the same key will not result in the
same signature each time. An extra property, defining the salt length, is passed into
the sign()
and verify()
functions when they are invoked.
ECDSA
ECDSA (Elliptic Curve Digital Signature Algorithm) is a variant of the Digital Signature Algorithm, specified in FIPS186, that uses Elliptic Curve Cryptography (RFC 6090).
Signatures are encoded as the s1
and s2
values specified in RFC 6090 (known respectively as r
and s
in RFC 4754), each in bigendian
byte arrays, with their length the bit size of the curve rounded up to a whole number of bytes.
These values are concatenated together in this order.
This encoding was also proposed by the IEEE 13632000 standard, and is sometimes referred to as the IEEE P1363 format. It differs from the X.509 signature structure, which is the default format produced by some tools and libraries such as OpenSSL.
HMAC
The HMAC algorithm calculates and verifies hashbased message authentication codes according to the FIPS 1981 standard.
The digest algorithm to use is specified in the
HmacKeyGenParams
object
that you pass into generateKey()
, or the
HmacImportParams
object
that you pass into importKey()
.
Examples
Note: You can try the working examples out on GitHub.
RSASSAPKCS1v1_5
This code fetches the contents of a text box, encodes it for signing, and signs it with a private key. See the complete source code on GitHub.
/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for the sign operation.
*/
function getMessageEncoding() {
const messageBox = document.querySelector(".rsassapkcs1 #message");
let message = messageBox.value;
let enc = new TextEncoder();
return enc.encode(message);
}
let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
"RSASSAPKCS1v1_5",
privateKey,
encoded
);
RSAPSS
This code fetches the contents of a text box, encodes it for signing, and signs it with a private key. See the complete source code on GitHub.
/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for the sign operation.
*/
function getMessageEncoding() {
const messageBox = document.querySelector(".rsapss #message");
let message = messageBox.value;
let enc = new TextEncoder();
return enc.encode(message);
}
let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
{
name: "RSAPSS",
saltLength: 32,
},
privateKey,
encoded
);
ECDSA
This code fetches the contents of a text box, encodes it for signing, and signs it with a private key. See the complete source code on GitHub.
/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for the sign operation.
*/
function getMessageEncoding() {
const messageBox = document.querySelector(".ecdsa #message");
let message = messageBox.value;
let enc = new TextEncoder();
return enc.encode(message);
}
let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign(
{
name: "ECDSA",
hash: { name: "SHA384" },
},
privateKey,
encoded
);
HMAC
This code fetches the contents of a text box, encodes it for signing, and signs it with a secret key. See the complete source code on GitHub.
/*
Fetch the contents of the "message" textbox, and encode it
in a form we can use for the sign operation.
*/
function getMessageEncoding() {
const messageBox = document.querySelector(".hmac #message");
let message = messageBox.value;
let enc = new TextEncoder();
return enc.encode(message);
}
let encoded = getMessageEncoding();
let signature = await window.crypto.subtle.sign("HMAC", key, encoded);
Specifications
Specification 

Web Cryptography API # SubtleCryptomethodsign 
Browser compatibility
BCD tables only load in the browser
See also
SubtleCrypto.verify()
. RFC 3447 specifies RSASSAPKCS1v1_5.
 RFC 3447 specifies RSAPSS.
 FIPS186 specifies ECDSA.
 FIPS 1981 specifies HMAC.