Mohawk is an alternate Python implementation of the Hawk HTTP authorization scheme.

Hawk lets two parties securely communicate with each other using messages signed by a shared key. It is based on HTTP MAC access authentication (which was based on parts of OAuth 1.0).

The Mohawk API is a little different from that of the Node library. It was redesigned to be more intuitive to developers, less prone to security problems, and more Pythonic.



  • Python 2.6+ or 3.3+
  • six

Using pip:

pip install mohawk

If you want to install from source, visit


You can submit bugs / patches on Github:


If you think you found a security vulnerability please try emailing before submitting a public issue.

Framework integration

Mohawk is a low level library that focuses on Hawk communication. The following higher-level libraries integrate Mohawk into specific web frameworks:


  • Implement bewit. The bewit URI scheme is not implemented at this time.
  • Support SNTP synchronization for local server time.
  • Support auto-retrying a mohawk.Sender request with an offset if there is timestamp skew.


  • 0.2.1 (2014-03-03)
    • Fixed Python 2 bug in how unicode was converted to bytes when calculating a payload hash.
  • 0.2.0 (2014-03-03)
    • Added support for Python 3.3 or greater.
    • Added support for Python 2.6 (this was just a test suite fix).
    • Added six as dependency.
    • mohawk.Sender.request_header and mohawk.Receiver.response_header are now Unicode objects. They will never contain non-ascii characters though.
  • 0.1.0 (2014-02-19)
    • Implemented optional content hashing per spec but in a less error prone way
    • Added complete documentation
  • 0.0.4 (2014-02-11)
    • Bug fix: response processing now re-uses sender’s nonce and timestamp per the Node Hawk lib
    • No longer assume content-type: text/plain if content type is not specificed
  • 0.0.3 (2014-02-07)
    • Bug fix: Macs were made using URL safe base64 encoding which differs from the Node Hawk lib (it just uses regular base64)
    • exposed localtime_in_seconds on TokenExpired exception per Hawk spec
    • better localtime offset and skew handling
  • 0.0.2 (2014-02-06)
    • Responding with a custom ext now works
    • Protected app and dlg according to spec when accepting responses
  • 0.0.1 (2014-02-05)
    • initial release of partial implementation

Indices and tables

Read the Docs v: latest
On Read the Docs
Project Home

Free document hosting provided by Read the Docs.