PE
Protocol Explorer
HTTP Signatures

HTTP Message Signatures

Demonstrating the core RFC 9421 specification. Shows how the Signature Base String is constructed using headers, pseudo-headers, and the strict newline-delimited dictionary format.

RFC 9421
ClientAPI Server1POST /transactions202
POST https://api.example.com/transactions202

The client signs an HTTP request using RFC 9421. The signature covers the HTTP method, the path, the host authority, and the content digest of the JSON body.

RFC 9421 introduces 'pseudo-headers' like @method and @path to allow signing parts of the HTTP request line.

The Signature Base String is strictly formatted. Each component is lowercased, wrapped in quotes, followed by a colon and a space, and then the value. Components are separated by newlines.

The final line of the Base String is ALWAYS '@signature-params', which exactly matches the configuration defined in the Signature-Input header.

In this scenario, the server must already know the public key associated with keyid='test-key-rsa' (out-of-band key distribution).

1 / 1
speed

Step 1: POST /transactions

Request / response
POSThttps://api.example.com/transactions
Host

api.example.com

Date

Tue, 20 Apr 2026 09:30:00 GMT

Content-Type?

application/json

Content-Digest

sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:

Signature-Input

sig1=("@method" "@path" "@authority" "content-type" "content-digest");created=17…

Signature

sig1=:base64SignatureBytesHere...=:

Body
{
  "amount": 100,
  "currency": "USD"
}
Cryptographic Signature

Construction Steps

1. 1. Build Signature Base String
"@method": POST
"@path": /transactions
"@authority": api.example.com
"content-type": application/json
"content-digest": sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
"@signature-params": ("@method" "@path" "@authority" "content-type" "content-digest");created=1776677400;keyid="test-key-rsa"
2. 2. Sign using RSASSA-PSS
RSASSA-PSS-SHA256(BaseString, PrivateKey) → RawBytes
3. 3. Format as HTTP Dictionary
sig1=:base64(RawBytes):

Signature Base String

"@method": POST
"@path": /transactions
"@authority": api.example.com
"content-type": application/json
"content-digest": sha-256=:X48E9qOokqqrvdts8nOJRJN3OWDUoyWxBf7kbu9DBPE=:
"@signature-params": ("@method" "@path" "@authority" "content-type" "content-digest");created=1776677400;keyid="test-key-rsa"

Signing Key

Client's RSA Private Key (out-of-band 'test-key-rsa')

Signature Output

base64SignatureBytesHere...=