AAuth Explorer
signingPhase 1

Pseudonymous Signing (sig=hwk)

The agent proves possession of a key without revealing its identity. The Ed25519 public key is embedded inline in the Signature-Key header (hwk). The resource verifies the signature but learns nothing about who the agent is.

§ HTTP Message Signatures — Pseudonymous
AgentResource1Unsigned GET /data → 4014012Signed GET (sig=hwk) → 200
GET https://api.example/data401

Resource returns 401 + Accept-Signature challenge.

sigkey=jkt tells the agent: include your public key JWK thumbprint in Signature-Key.

Covered components (@method, @authority, @path, signature-key) must all be signed.

1 / 2
speed

Step 1: Unsigned GET /data → 401

Request / response
GEThttps://api.example/data
Host

api.example

Accept

application/json