Message Signing
Signing Mode Comparison
All AAuth signing modes use HTTP Message Signatures (RFC 9421). The difference is what appears in the Signature-Key header — and what the resource learns about who made the request.
Signature-Key Header
Anonymous
No signature
(none — no Signature-Key header)
Capabilities
| Feature | Anonymous | Pseudonymous | Agent Identity | Agent Token |
|---|---|---|---|---|
| Proof of key possession | ||||
| Agent identifier disclosed to resource | ||||
| Replay protection (jti claim) | ||||
| Remote key discovery (JWKS) | ||||
| Trust level | None | Key possession | Cryptographic identity | Signed identity + Person Server |
| Resource learns | Nothing | A specific key signed this — identity unknown | Full agent identifier + verifiable public key (via JWKS) | Agent identity, PS URL, bound signing key, delegation chain |
When to use each
Anonymous
Public endpoints, no access control needed
Pseudonymous
Anonymous but accountable access, rate-limiting by key
Agent Identity
Access control by agent identity, replacing API keys
Agent Token
Full PS-AS authorization flows, mission context
Anatomy of an HTTP Message Signature (all modes)
1. Build signature base
"@method": GET "@authority": resource:8002 "@path": /data "signature-key": sig=hwk;… "@signature-params": (…);created=1700000000
2. Sign with Ed25519 private key
Signature-Input: sig=
("@method" "@authority"
"@path" "signature-key")
;created=1700000000
;alg="ed25519"3. Attach 3 headers to request
Signature-Key: sig=<scheme>… Signature-Input: sig=(…) Signature: sig=:base64url…: