Issue: JSON Serialization Behavior Change in 0.28.1 causing HTTP Signature Digest Mismatch

[RHawkins-Fisher]

Summary

After upgrading httpx from 0.25.0 to 0.28.1, HTTP Signatures that rely on a Digest of the request body began failing with a 401 Unauthorized (Authentication Failed) error when interacting with the CyberSource API.

Root Cause Analysis

The issue appears to correspond to a change in how httpx generates the JSON body bytes when using the json argument in client.request().

• Scenario: We generate an HTTP Signature Digest by creating a hash of json.dumps(payload) (using standard Python json module default separators).
• Behavior in 0.25.0: The hash generated from json.dumps(payload) matched the hash of the body sent by httpx.
• Behavior in 0.28.1: The hash generated from json.dumps(payload) did not match the body sent by httpx.

Workaround / Proof

We confirmed the issue by manually serializing the payload to a string using json.dumps(payload) and passing this string to httpx.request(..., content=payload_str).

• When using content=payload_str, the request succeeded with httpx 0.28.1.
• When using json=payload, the request failed corresponding to a digest mismatch.

This indicates that httpx 0.28.1 is producing a JSON byte stream that differs from the standard implementation of json.dumps(payload) (e.g., changes in whitespace/separators or key ordering), whereas 0.25.0 produced a matching stream.

Environment

• Previous Version: httpx==0.25.0 (Working)
• Current Version: httpx==0.28.1 (Failing Digest)
• Python Version: 3.13 (and 3.11)
• OS: Windows

Recommendation / Request

If httpx has intentionally changed default JSON serialization (e.g. to be more compact), it would be helpful to document this behavior, as it breaks compatibility with systems that compute signatures based on standard json.dumps() output. Alternatively, a flag to control serialization behavior would be beneficial.