Here is the web API offered by the APK Signer. Here are some URLs where you can find a deployed APK Signer:


All APIs accept standard application/x-www-form-urlencoded POST parameters.


All incoming and outgoing requests are secured by a Hawk shared key. The setting HAWK_CREDENTIALS is a dictionary of consumers and credentials. The following credentials are defined for use:

The APK Factory will communicate with the signing service to sign APKs. All incoming requests to the signer must be signed with these credentials. As per Hawk, the server signs its response using the same credentials that the request was signed with.

All Hawk requests must sign their request payload (request body plus request content-type). If both of these are blank, such as in a GET request, you must sign them as empty strings.

Authorized API requests will respond with a Hawk header that signs the response, including payload. For the best security, make sure your client is authorizing incoming Hawk responses.


POST /sign

This endpoint accepts an unsigned APK file and returns a new APK file that has been signed with an Android key store. This signing process works just like the standard Android signing process.


  • apk_id – A unique identifier for this APK such as one derived from a webapp manifest URL. This value will be used as an Amazon S3 storage key.
  • unsigned_apk_s3_path – An Amazon S3 path (in a shared bucket) to the unsigned APK file that should be fetched and signed. Example: /path/to/unsigned/file.apk.
  • unsigned_apk_s3_hash – A SHA256 content hash (in hex) that can be used to verify the contents of the APK file after fetching it from Amazon S3.
  • signed_apk_s3_path – An Amazon S3 path (in a shared bucket) that the final, signed APK file should be written to. Example: /path/to/signed/file.apk.


  • signed_apk_s3_url – A publicly accessible Amazon S3 URL to the signed APK file.


{"signed_apk_s3_url": "https://s3.amazonaws.com/bucket/key/to/signed.apk"}
Status Codes:


There are some system APIs you can use to monitor the health of the APK Signer system.

GET /system/auth

This endpoint lets you test your Hawk client to see that you are making authorized GET requests correctly.

POST /system/auth

You can also POST to the same endpoint to test an authorized Hawk request.


Example response to GET:

{"message": "GET authentication successful"}

Example response to POST:

{"message": "POST authentication successful"}
Status Codes:
GET /system/cef

A request to this endpoint will log an internal CEF (Common Event Format) message. This will let you test that the system is hooked up for CEF logging.



{"message": "CEF messages sent"}
Status Codes:
GET /system/log

A request to this endpoint will send a test message to the internal logging system. This will let you test that the system is hooked up for logging.



{'message': 'messages logged on server'}
Status Codes:
GET /system/stats

A request to this endpoint will increment a statsd key for testing purposes.



{"message": "apk_signer.system_check incremented"}
Status Codes:
GET /system/tools

This endpoint reports whether or not the required command line tools are available.


Example of 200 response:

{"detail": {"success": true, "keytool": "ok", "jarsigner": "ok"}}

Example of 409 response:

{"detail": {"success": false, "keytool": "MISSING", "jarsigner": "ok"}}
Status Codes:
POST /system/trace

A request to this endpoint will trigger an exception to test that exceptions are handled correctly.



Status Codes: