# HTTP Message Signatures

> An IETF standard (RFC 9421) for cryptographically signing components of an HTTP message so a server can verify who sent it and that it was not altered.

_The Agentic Web Lexicon · /glossary/http-message-signatures · [JSON](/api/glossary/http-message-signatures) · [all The Agentic Web Lexicon](/glossary)_

- **term:** HTTP Message Signatures
- **category:** identity
- **short_def:** An IETF standard (RFC 9421) for cryptographically signing components of an HTTP message so a server can verify who sent it and that it was not altered.
- **long_def:** Published as a Standards Track RFC in February 2024 (editors A. Backman and J. Richer, with M. Sporny), RFC 9421 defines how to sign chosen parts of a request or response and supports algorithms including EdDSA over Curve25519 (Ed25519). It is the cryptographic foundation Web Bot Auth builds on to prove agent identity, since user-agent strings are spoofable.
- **see_also:** web-bot-auth, agent-identity, verifiable-credentials
- **etymology_origin:** Published by the IETF as RFC 9421 'HTTP Message Signatures' (Standards Track, February 2024); editors Annabelle Backman and Justin Richer, with Manu Sporny; supports EdDSA over edwards25519 among other algorithms.
- **related_to:** web-bot-auth, agent-identity, verifiable-credentials, prompt-injection
- **contrast_with:** Unlike Web Bot Auth, which is the specific agentic-web scheme for identifying bots, HTTP Message Signatures (RFC 9421) is the general-purpose signing mechanism it is built on — the primitive, not the application.
- **example:** RFC 9421 (February 2024) standardized HTTP Message Signatures with support for Ed25519; Web Bot Auth uses it so a server can verify a request genuinely came from a declared agent.
- **source:** https://www.rfc-editor.org/rfc/rfc9421.html
- **status:** active
- **why_it_matters:** HTTP Message Signatures are the standards primitive under verified-agent access; understanding RFC 9421 is the basis for trusting, rate-limiting or charging an agent by identity.
- **sameAs:** https://datatracker.ietf.org/doc/html/rfc9421
- **bridge_entity:** protocols/identity/web-bot-auth
- **last_verified:** 2026-06-15
- **md_twin:** /glossary/http-message-signatures.md