Message Signing · Pseudonymous tier
Hardware-backed
sig=jkt-jwtAn enclave/hardware key signs a JWT that delegates signing authority to a fast ephemeral key. Requests are signed at line rate by the ephemeral key; the JWT proves the delegation came from the hardware-held identity.
Why a second pseudonymous scheme?
sig=hwk is a self-contained inline public key — ephemeral by nature. But many devices (TPM, Secure Enclave, StrongBox) hold a stable private key in hardware that is slow to sign and may require user interaction (biometric, PIN).
sig=jkt-jwt("jacket jot") bridges the two: the enclave key signs one JWT, and that JWT delegates to a fast software key that signs every request. The hardware key's JWK Thumbprint URN is the stable pseudonymous identity — no registration, no authority.
How it works
Identity key
A long-lived keypair lives in the hardware enclave.
Ephemeral key
A short-lived software keypair is generated per session.
Delegation JWT
Enclave signs a JWT binding the ephemeral pub key via the cnf claim.
Fast signing
Every HTTP request is signed by the ephemeral key; the JWT proves authorization.
On the wire
Request headers
GET /data HTTP/1.1
Host: api.example
Signature-Input: sig=("@method" "@authority"
"@path" "signature-key");created=1730217600
Signature: sig=:<ephemeral-key-sig>:
Signature-Key: sig=jkt-jwt;jwt="eyJ0eXA…"JWT header & payload (inside jwt=)
// header
{
"typ": "jkt-s256+jwt",
"alg": "ES256",
"jwk": { "kty": "EC", "crv": "P-256", "x": "...", "y": "..." }
}
// payload
{
"iss": "urn:jkt:sha-256:NzbLsXh8…",
"iat": 1730217000,
"exp": 1730303400,
"cnf": {
"jwk": {
"kty": "OKP", "crv": "Ed25519",
"x": "JrQLj5P_89iXES9-vFgrIy29clF9CC_oPPsw3c5D0bs"
}
}
}The verifier checks the JWT (enclave signature → thumbprint → iss equality), extracts cnf.jwk, then verifies the HTTP signature with that ephemeral key.
When AAuth uses it
Agent-token renewal from a stable key
When an agent's ephemeral agent token expires, the agent can renew it by sending a new ephemeral public key in a sig=jkt-jwt request signed by the stable hardware key — no user re-login required. Recorded at enrollment, verified on renewal.
SPEC · §Agent Token Acquisition
Mobile / IoT / laptop agents
Any agent whose platform offers a secure enclave (iOS Secure Enclave, Android StrongBox, Windows TPM, macOS Keychain). Gives the resource a stable thumbprint for per-device rate limiting / reputation without collecting identity.
hwk vs jkt-jwt
| sig=hwk | sig=jkt-jwt | |
|---|---|---|
| Key lifetime | Per session (ephemeral) | Hardware identity key is stable; ephemeral key rotates with JWT exp |
| Identity | JWK Thumbprint of the inline key | JWK Thumbprint URN of the enclave key — stable across sessions |
| Performance cost | One signature per request (fast) | One enclave signature per JWT lifetime + fast signature per request |
| Trust model | TOFU on the inline key | TOFU on the enclave thumbprint — implies but does not prove hardware protection |
Same tier
Pseudonymous (sig=hwk) →
The inline-key variant — no hardware, no JWT wrapper.
ExploreFoundations
Signature-Key Schemes →
All four schemes AAuth uses, side-by-side.
ExploreFurther reading
- AAuth SPEC · §Agent Token Acquisition (renewal via stable key)
- draft-hardt-httpbis-signature-key · §3.4 jkt-jwt scheme
- RFC 7638 — JSON Web Key Thumbprint
- RFC 7800 — Proof-of-Possession Key Semantics for JWTs