Recently I was working on yet another startup project (mobile app with backend). The goal was to make the backend stateless and highly scalable. I did not want to maintain sessions. So I was looking for authentication and authorization mechanism for RESTful APIs which is scalable, secure and appropriate for mobile. The solution was HMAC. This post describes how to handle it using spray.io.