PyAuthTicket uses HMAC to generate a one time ticket based on a secret key, message (optional) and timestamp (defaults to the current time).

If both sides know a secret key (ie, an API key), a receiver can verify the identity of a sender by requiring a ticket digest and the timestamp used to create it along with the actual request.

To verify the sender, the receiver would create a ticket with the same credentials (key, request, timestamp) and verify it against the provided digest. This does not prevent replay attacks but as the timestamp is provided, a lower threshold can be set to reduce the time window in which replays can run.

Sender:

from pyauthticket import AuthTicket
request = 'GET /'
t = AuthTicket(key='secret_key', message=request)
send_request(request, t.timestamp, t.digest)

Receiver:

from pyauthticket import AuthTicket
request, timestamp, digest = receive_request()
t = AuthTicket(key='secret_key', message=request, timestamp=timestamp, digest=digest, threshold=60*2)

if t.is_valid():
    print "Ticket was valid."
else:
    print "Ticket was not valid."

from time import sleep
sleep(60*2)

if t.is_valid():
    print "Ticket was valid."
else:
    print "Ticket was not valid."