Skip to main content
All three communication modes — sync, async, and stream — use the same envelope. The format never changes based on delivery mechanism; only the endpoint and response behavior differ.

Request envelope (body)

The JSON body carries routing and payload fields. The signature is in HTTP headers — not the body.

Signature (RFC 9421 HTTP Message Signatures)

Authentication uses RFC 9421 — three standard HTTP headers on every POST request:
What’s signed: @method, @path, and content-digest — so the receiver can verify both which endpoint was targeted and that the body hasn’t been tampered with. Signing procedure:
  1. Serialize the body to UTF-8 bytes
  2. Compute sha-256 of the bytes → Content-Digest
  3. Build the RFC 9421 signature base (method + path + content-digest + params), sign with Ed25519
  4. Send all three headers with the request
The keyid in Signature-Input references the kid in the sender’s agent card — enabling key rotation without changing the protocol.
The SDK handles all of this automatically. You never construct or verify these headers manually.

Response envelope

On error:

JSON Schema