Foundations
Signature-Key Schemes
The Signature-Key draft defines five schemes. AAuth profiles four of them, grouped into two trust tiers. This page is the one-stop map of which scheme does what and where each lives in the protocol.
Two tiers, four schemes
Pseudonymous tier
sigkey=jktVerifier learns a stable JWK Thumbprint — no identity. Useful for rate-limiting, anonymous-but-accountable access, hardware-backed device identity.
sig=hwksig=jkt-jwtIdentity tier
sigkey=uriVerifier learns a verifiable identifier — an HTTPS origin or an issuer-signed JWT. This is how AAuth tokens (agent/resource/auth) are presented.
sig=jwks_urisig=jwtThe tier values (jkt, uri) are what a resource asks for in its Accept-Signature: sigkey=… challenge.
Schemes AAuth uses
sig=hwkHeader Web KeyPseudonymousPublic key inline in the header. Self-contained verification — no fetches, no issuer, no identity.
Signature-Key: sig=hwk;kty="OKP";crv="Ed25519";x="JrQLj5P_89iXES9-vFgrIy29clF9CC_oPPsw3c5D0bs"
When AAuth uses it
Agents with no identity infrastructure; rate-limiting by key; anonymous-but-accountable access.
What the verifier learns
Key possession only — verifier learns a stable JWK Thumbprint, nothing more.
sig=jkt-jwtJKT JWT Self-Issued Key DelegationPseudonymousA JWT signed by an enclave/hardware key delegates to a fast ephemeral signing key via the cnf claim. Identity is a JWK Thumbprint URN (TOFU).
Signature-Key: sig=jkt-jwt;jwt="eyJ0eXAiOiJqa3Qtc…"
When AAuth uses it
Agent-token renewal from a stable hardware key (SPEC §Agent Token Acquisition); mobile/IoT agents with secure enclaves.
What the verifier learns
Persistent pseudonymous identity tied to the enclave key; ephemeral key signs requests at line rate.
sig=jwks_uriJWKS URI DiscoveryIdentityThe Signature-Key references an HTTPS identifier. The verifier fetches {id}/.well-known/{dwk}, reads jwks_uri, resolves the kid.
Signature-Key: sig=jwks_uri;id="https://agent.example";dwk="aauth-agent.json";kid="key-1"
When AAuth uses it
Raw agent identity — before an agent has an agent token. Also how AAuth tokens' issuers' keys are discovered.
What the verifier learns
Cryptographic identity bound to an HTTPS origin. Verifier learns the full agent identifier.
sig=jwtJWT Confirmation KeyIdentityA signed JWT (with iss + dwk) carries the public key in its cnf claim. Verifier checks the JWT, then verifies the HTTP signature with the cnf key.
Signature-Key: sig=jwt;jwt="eyJhbGciOiJFZERTQSIsInR5cCI6ImFhLWFnZW50K2p3dCJ9…"
When AAuth uses it
Agent tokens (aa-agent+jwt), resource tokens (aa-resource+jwt), and auth tokens (aa-auth+jwt) are all presented this way.
What the verifier learns
Identity + key binding vouched for by a signed issuer. The JWT typ identifies which AAuth token it is.
Not used by AAuth
sig=x509X.509 Certificate Chain not in AAuthAAuth relies on JWK-based discovery (dwk + jwks_uri) and doesn't depend on PKI. The scheme remains available in the draft for deployments that need it, but AAuth neither requires nor defines behavior around it.
Scheme properties at a glance
| Property | hwk | jkt-jwt | jwks_uri | jwt |
|---|---|---|---|---|
| Reveals identity | ||||
| Requires network fetch | if iss+dwk present | |||
| Embeds a JWT | ||||
| Hardware-backed (typical) | ||||
| Carries AAuth token |
Further reading