Request envelope (body)
The JSON body carries routing and payload fields. The signature is in HTTP headers — not the body.Signature (RFC 9421 HTTP Message Signatures)
Authentication uses RFC 9421 — three standard HTTP headers on every POST request:@method, @path, and content-digest — so the receiver can verify both which endpoint was targeted and that the body hasn’t been tampered with.
Signing procedure:
- Serialize the body to UTF-8 bytes
- Compute
sha-256of the bytes →Content-Digest - Build the RFC 9421 signature base (method + path + content-digest + params), sign with Ed25519
- Send all three headers with the request
keyid in Signature-Input references the kid in the sender’s agent card — enabling key rotation without changing the protocol.
The SDK handles all of this automatically. You never construct or verify these headers manually.