HTTP Signatures

HTTP Signatures describes a method of creating, encoding and verifying a signature within an HTTP request. This spec can be used for a variety of applications, both involving OAuth as well as outside of OAuth. This work is taking place in the HTTPBIS working group at the IETF.

The latest version of the in-progress specification can be found at:

In OAuth, HTTP Signatures can be used as a proof of possession mechanism to add additional protection to Bearer tokens. Other forms of proof of possession in OAuth include:

Historical note: This draft is an evolution of the earlier individual draft "Signing HTTP Messages" by Cavage. The Cavage draft was never adopted by a working group and expired in 2018. For a brief period of time, some of this work had been picked up by the "Digital Verification Community Group" and later moved into the "Credentials Community Group" at the W3C. The current version of the draft at the CCG is a redirect to the IETF draft in the HTTPBIS working group which is the intended location of where this work will continue.