HTTP Message Signatures
An IETF standard (RFC 9421) for cryptographically signing components of an HTTP message so a server can verify who sent it and that it was not altered.
- term
- HTTP Message Signatures
- category
- identity
- short_def
- An IETF standard (RFC 9421) for cryptographically signing components of an HTTP message so a server can verify who sent it and that it was not altered.
- long_def
- Published as a Standards Track RFC in February 2024 (editors A. Backman and J. Richer, with M. Sporny), RFC 9421 defines how to sign chosen parts of a request or response and supports algorithms including EdDSA over Curve25519 (Ed25519). It is the cryptographic foundation Web Bot Auth builds on to prove agent identity, since user-agent strings are spoofable.
- see_also
web-bot-authagent-identityverifiable-credentials- etymology_origin
- Published by the IETF as RFC 9421 'HTTP Message Signatures' (Standards Track, February 2024); editors Annabelle Backman and Justin Richer, with Manu Sporny; supports EdDSA over edwards25519 among other algorithms.
- related_to
web-bot-authagent-identityverifiable-credentialsprompt-injection- contrast_with
- Unlike Web Bot Auth, which is the specific agentic-web scheme for identifying bots, HTTP Message Signatures (RFC 9421) is the general-purpose signing mechanism it is built on — the primitive, not the application.
- example
- RFC 9421 (February 2024) standardized HTTP Message Signatures with support for Ed25519; Web Bot Auth uses it so a server can verify a request genuinely came from a declared agent.
- source
- https://www.rfc-editor.org/rfc/rfc9421.html
- status
- active
- why_it_matters
- HTTP Message Signatures are the standards primitive under verified-agent access; understanding RFC 9421 is the basis for trusting, rate-limiting or charging an agent by identity.
- sameAs
https://datatracker.ietf.org/doc/html/rfc9421- bridge_entity
- protocols/identity/web-bot-auth
- last_verified
- 2026-06-15
- md_twin
- /glossary/http-message-signatures.md