Next.js Server Actions ShieldPRO

Protect public Server Action endpoints from parameter tampering and replay attacks with cryptographically signed payloads.

Raw Action Payload (JSON)

Action Signing Key (Hex-Encoded)

TTL Expiry Window

Cryptographic Execution Pipeline

Protected Payload (Injected metadata)

{}

HMAC-SHA256 Signature (Hex)

/**
 * client-signer.ts
 * Browser-safe cryptographic payload signer for Next.js Server Actions.
 * Keep this module locally integrated in your client components.
 */

export async function signActionPayload(payload: any, hexSecretKey: string) {
  const ts = Math.floor(Date.now() / 1000);
  const nonce = Array.from(window.crypto.getRandomValues(new Uint8Array(16)))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
    
  const protectedPayload = {
    ...payload,
    _shield: { ts, nonce }
  };
  
  const serialized = JSON.stringify(protectedPayload);
  
  // Convert hex signing key to bytes
  const keyBytes = new Uint8Array(
    hexSecretKey.match(/.{1,2}/g)!.map(byte => parseInt(byte, 16))
  );
  
  // Import the raw secret into SubtleCrypto
  const cryptoKey = await window.crypto.subtle.importKey(
    "raw",
    keyBytes,
    { name: "HMAC", hash: { name: "SHA-256" } },
    false,
    ["sign"]
  );
  
  // Calculate signature
  const signatureBuffer = await window.crypto.subtle.sign(
    "HMAC",
    cryptoKey,
    new TextEncoder().encode(serialized)
  );
  
  const signature = Array.from(new Uint8Array(signatureBuffer))
    .map(b => b.toString(16).padStart(2, '0'))
    .join('');
    
  return {
    payload: protectedPayload,
    signature
  };
}

Instructions

1
Provide your raw JSON action payload in the input editor.
2
Generate or input a secure 32-byte signing key.
3
Configure the TTL Expiry Window to limit payload freshness.
4
Copy the generated signatures or download the pre-built client signer and server verifier code blocks.

Frequently Asked Questions

Next.js Server Actions are public HTTP POST endpoints that can be inspected and replayed by malicious clients. By cryptographically signing the payload on the client with a HMAC-SHA256 signature containing a timestamp and a unique nonce, the server can verify the payload's integrity, check if the timestamp is within the valid TTL window, and ensure the nonce hasn't been reused, completely blocking replay attacks and parameter tampering.

No. All cryptographic calculations, key generation, and payload signing are executed entirely client-side using your browser's native SubtleCrypto API. Your keys and payloads never leave your machine.

Check JWT Expiration OnlineJump to tool

Inspect JWT Header & AlgorithmJump to tool

JWT to JSON ConverterJump to tool

Cryptographic Execution Pipeline

Instructions

Frequently Asked Questions

Related Tools