RFC9421: HTTP Message Signatures

datatracker.ietf.org/doc/html/rfc9421

HTTP Message Signatures describes a method of creating, encoding and verifying a signature within an HTTP request. This spec can be used for a variety of applications, both involving OAuth as well as outside of OAuth.

In OAuth, HTTP Signatures can be used as a proof of possession mechanism to add additional protection to Bearer tokens. Other forms of proof of possession in OAuth include:

• RFC 8705: Mutual TLS
• RFC 9449: DPoP

HTTP Signatures is referenced by FAPI as one method of signing HTTP messages.

Historical note: This draft is an evolution of the earlier individual draft "Signing HTTP Messages" by Cavage. The Cavage draft was never adopted by a working group and expired in 2018. For a brief period of time, some of this work had been picked up by the "Digital Verification Community Group" and later moved into the "Credentials Community Group" at the W3C. The CCG version of the draft was redirected to the IETF draft in the HTTPBIS working group where development of the draft continued until it was published as an RFC.

More resources

• httpsig.org - a live demonstration of HTTP Signatures
• Client Authentication