{ "dataset": "glossary", "record": { "id": "http-message-signatures", "term": "HTTP Message Signatures", "category": "identity", "short_def": "An IETF standard (RFC 9421) for cryptographically signing components of an HTTP message so a server can verify who sent it and that it was not altered.", "long_def": "Published as a Standards Track RFC in February 2024 (editors A. Backman and J. Richer, with M. Sporny), RFC 9421 defines how to sign chosen parts of a request or response and supports algorithms including EdDSA over Curve25519 (Ed25519). It is the cryptographic foundation Web Bot Auth builds on to prove agent identity, since user-agent strings are spoofable.", "see_also": [ "web-bot-auth", "agent-identity", "verifiable-credentials" ], "etymology_origin": "Published by the IETF as RFC 9421 'HTTP Message Signatures' (Standards Track, February 2024); editors Annabelle Backman and Justin Richer, with Manu Sporny; supports EdDSA over edwards25519 among other algorithms.", "related_to": [ "web-bot-auth", "agent-identity", "verifiable-credentials", "prompt-injection" ], "contrast_with": "Unlike Web Bot Auth, which is the specific agentic-web scheme for identifying bots, HTTP Message Signatures (RFC 9421) is the general-purpose signing mechanism it is built on — the primitive, not the application.", "example": "RFC 9421 (February 2024) standardized HTTP Message Signatures with support for Ed25519; Web Bot Auth uses it so a server can verify a request genuinely came from a declared agent.", "source": "https://www.rfc-editor.org/rfc/rfc9421.html", "status": "active", "why_it_matters": "HTTP Message Signatures are the standards primitive under verified-agent access; understanding RFC 9421 is the basis for trusting, rate-limiting or charging an agent by identity.", "sameAs": [ "https://datatracker.ietf.org/doc/html/rfc9421" ], "bridge_entity": "protocols/identity/web-bot-auth", "last_verified": "2026-06-15", "md_twin": "/glossary/http-message-signatures.md" } }