PE
Protocol Explorer
HTTP Signatures

Signature-Key Header Schemes

Exploring the four key distribution schemes defined in draft-hardt-httpbis-signature-key. The Signature-Key header embeds or links to the public key required to verify the RFC 9421 signature.

Draft (Signature-Key)
ClientAPI Server11. Inline Key (hwk)20422. Discovery (jwks_uri)33. Certificate (x509)44. Delegated Key (jwt)
POST https://api.example.com/hwk-auth204

Scheme 1: 'hwk' (Header Web Key). The client includes the raw public key inline within the Signature-Key header using JWK formatting parameters.

This scheme provides pseudonymous authentication. The server doesn't know WHO the client is, only that they possess the private key matching the inline public key.

CRITICAL: The 'Signature-Input' explicitly lists 'signature-key' as a covered header. If the signature doesn't cover the key header, an attacker could trivially swap out the public key and signature in transit.

1 / 4
speed

Step 1: 1. Inline Key (hwk)

Request / response
POSThttps://api.example.com/hwk-auth
Signature-Input

sig1=("@method" "@path" "signature-key");created=1776677400

Signature

sig1=:hwk_signature_bytes=:

Signature-Key

sig1=hwk;kty="OKP";crv="Ed25519";x="11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPPr9m4"

Cryptographic Signature

Construction Steps

1. 1. Base String (Notice signature-key is covered)
"@method": POST
"@path": /hwk-auth
"signature-key": sig1=hwk;kty="OKP";crv="Ed25519";x="11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPPr9m4"
"@signature-params": ("@method" "@path" "signature-key");created=1776677400

Signature Base String

"@method": POST
"@path": /hwk-auth
"signature-key": sig1=hwk;kty="OKP";crv="Ed25519";x="11qYAYKxCrfVS_7TyWQHOg7hcvPapiMlrwIaaPPr9m4"
"@signature-params": ("@method" "@path" "signature-key");created=1776677400

Signing Key

Ed25519 Private Key

Signature Output

hwk_signature_bytes