ApertoID

VeronaItaly irn@irn3.com https://github.com/ApertoID

Web and Internet Transport HTTPBIS HTTPAI AgentSignatureEd25519Identity This document defines the ApertoID-Signature HTTP header field, which enables AI agents to cryptographically prove their identity on each HTTP request. The agent signs the request method, target URL, body hash, and identity metadata using an Ed25519 private key whose corresponding public key is published in DNS via the ApertoID protocol . The mechanism provides request-level identity verification, action binding (the signature is tied to the specific method and URL), and replay protection via timestamps and nonces.

Introduction The ApertoID protocol enables domain owners to declare authorized AI agents in DNS, including publishing Ed25519 public keys for agent identity verification. However, publishing a key in DNS only establishes which key belongs to which agent — it does not prove that a particular HTTP request was made by the holder of that key, nor does it bind the signature to the specific action being performed. This document defines the ApertoID-Signature HTTP header field, which closes both gaps. When an agent makes an HTTP request (e.g., to an MCP server, an API, or any HTTP service), it includes this header containing an Ed25519 signature over the request method, target URL, body hash, and identity metadata. The receiving service can then verify the signature against the public key published in the agent's ApertoID DNS record, confirming both that the request originates from the authorized agent AND that the signature applies to this specific request — not a different endpoint, not a different method, not a different body. This mechanism is analogous to DKIM signatures for email: DKIM key records are published in DNS, and DKIM signatures are attached to email messages. Similarly, ApertoID key records are published in DNS (per ), and ApertoID-Signature headers are attached to HTTP requests (per this document).

Relationship to HTTP Message Signatures HTTP Message Signatures provides a general-purpose framework for signing HTTP messages. ApertoID-Signature does not use RFC 9421 for the following reasons:

• RFC 9421 requires structured headers (RFC 8941) support, component identifiers, algorithm negotiation, and signature metadata — all of which add implementation complexity that is unnecessary for the single-purpose case of agent identity verification with a fixed algorithm.
• ApertoID-Signature uses DNS-based key discovery (the public key is in the agent's DNS TXT record), which does not map to RFC 9421's key resolution model.
• ApertoID-Signature is designed to be implementable as a drop-in middleware in under 100 lines of code in any language, without requiring an RFC 9421 library.

However, ApertoID-Signature follows RFC 9421's principle of binding signatures to specific request components. The signing input includes the HTTP method and request target (path + query), ensuring that a signature is valid only for the specific action it was created for.

Requirements Language The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.

The ApertoID-Signature Header Field

Header Syntax The ApertoID-Signature header field contains semicolon-separated tag-value pairs. The formal grammar uses ABNF : ]]>

ABNF Definition

Header Tags

d (REQUIRED)

The domain the agent claims to represent. The verifier uses this to locate the ApertoID Policy Record at "_apertoid.<d>".

s (REQUIRED)

The agent selector. Combined with the domain, this identifies the Agent Declaration Record at "<s>._apertoid.<d>" where the public key is published.

t (REQUIRED)

The signature timestamp as a Unix timestamp (seconds since 1970-01-01T00:00:00Z). MUST be within the validity window (default: 300 seconds / 5 minutes) of the verifier's current time. Requests with timestamps outside this window MUST be rejected.

n (REQUIRED)

A nonce: a unique, non-repeating value for this request, encoded as 1-16 hexadecimal characters (lowercase). The nonce provides replay protection within the timestamp validity window. Verifiers MUST maintain a nonce cache for the duration of the validity window and MUST reject requests with previously seen nonces.

sig (REQUIRED)

The Ed25519 signature over the signing input (), encoded as unpadded Base64 per Section 4 (88 characters for 64 bytes).

Signing Procedure

Signing Input Construction The signing input is a byte string constructed by concatenating the following components, each terminated by a newline character (0x0A): Where:

d_value

The value of the d= tag (the domain name, lowercase).

s_value

The value of the s= tag (the selector, lowercase).

t_value

The decimal string representation of the t= tag (the timestamp).

n_value

The value of the n= tag (the nonce, lowercase hex).

method

The HTTP request method, uppercase (e.g., "GET", "POST", "DELETE"). This binds the signature to the specific HTTP action. A signature created for a POST request MUST NOT be valid for a GET or DELETE request.

target

The request target as sent in the HTTP request line: the path and query string, without the scheme, host, or fragment (e.g., "/mcp/tools/search?limit=10"). If there is no query string, only the path is included (e.g., "/mcp/tools/search"). This binds the signature to the specific endpoint. A signature created for /mcp/search MUST NOT be valid for /mcp/delete.

body_hash

The lowercase hexadecimal SHA-256 hash of the raw HTTP request body. This binds the signature to the specific request content. If the request has no body (e.g., GET, HEAD, DELETE without body), the SHA-256 hash of the empty string MUST be used:

All components MUST be encoded as UTF-8. The signing input MUST be deterministic: the same input parameters MUST always produce the same signing input byte string.

Producing the Signature The agent produces the signature as follows:

1. Determine the request method (e.g., "POST") and request target (e.g., "/mcp/tools/search").
2. Compute the SHA-256 hash of the request body (or the empty-body hash for bodyless requests).
3. Generate a unique nonce (RECOMMENDED: 8-16 random hex characters).
4. Record the current Unix timestamp.
5. Construct the signing input as defined in .
6. Sign the signing input using the agent's Ed25519 private key per , producing a 64-byte signature.
7. Encode the signature as unpadded Base64 per Section 4.
8. Construct the ApertoID-Signature header with all required tags.
9. Attach the header to the outgoing HTTP request.

Example An agent "leadhunter" acting for "example.com" sends: The signing input (each line terminated by LF): The agent signs this input with its Ed25519 private key and attaches:

Verification Procedure Services that have deployed ApertoID SHOULD inspect incoming HTTP requests for the ApertoID-Signature header. If the header is present, the service SHOULD verify it per this specification. If the header is absent but the agent's domain publishes an ApertoID policy with "p=reject", the service MAY reject the unsigned request. When a service receives a request with an ApertoID-Signature header, it performs the following verification: 300: Return "timestamp_invalid" 4. Check nonce n= against nonce cache: If n= is in cache: Return "nonce_reused" Add n= to cache with expiry = t + 300 5. Perform DNS verification per [APERTOID-DNS]: Query "_apertoid." for policy record Query "._apertoid." for agent declaration Extract pk= (public key) and check exp= 6. If DNS verification fails: Apply policy p= from policy record Return DNS verification result 7. Reconstruct signing_input from: d, s, t, n, request.method (uppercase), request.target (path + query), SHA-256(request.body) 8. Verify Ed25519 signature sig= against signing_input using public key pk= from DNS record 9. If signature is invalid: Apply policy p= from policy record Return "sig_invalid" 10. Return "pass" ]]>

Result Values

pass

The signature is valid, the agent is authorized, and the signature matches the specific request method, target, and body.

malformed

The ApertoID-Signature header is present but cannot be parsed.

timestamp_invalid

The timestamp is outside the validity window.

nonce_reused

The nonce was already seen within the validity window.

sig_invalid

The Ed25519 signature does not match the signing input and public key.

DNS-level results (none, revoked, expired, url_mismatch, key_mismatch, permerror, temperror) are as defined in .

Replay Protection ApertoID-Signature provides three layers of replay protection:

Timestamp window

Signatures are valid for at most 300 seconds (5 minutes). Requests with timestamps outside this window are rejected. This limits the useful lifetime of any intercepted signature.

Nonce uniqueness

Within the timestamp window, each nonce may be used only once. Verifiers MUST maintain a nonce cache and reject duplicate nonces. The cache need only retain entries for the duration of the validity window; older entries can be safely evicted.

Action binding

The signing input includes the HTTP method and request target. A valid signature for "POST /mcp/search" cannot be replayed against "DELETE /mcp/data" or "POST /mcp/export" — even within the timestamp window and with a fresh nonce, because the signing input would differ.

Verifiers SHOULD use a validity window of 300 seconds (5 minutes). Shorter windows reduce the replay surface but increase sensitivity to clock skew. Verifiers MAY allow configuration of the validity window within the range of 60 to 600 seconds.

Security Considerations

Action Binding Scope The signing input includes the HTTP method and request target (path + query), preventing cross-endpoint and cross-method replay attacks. However, it does not include the Host header or scheme. This means a valid signature could theoretically be replayed against a different host serving the same path, if the attacker can redirect the request. In practice, this is mitigated by TLS: the agent establishes a TLS connection to a specific host, and the signature is only transmitted over that connection. Services MUST require HTTPS per ; HTTP connections MUST NOT be used with ApertoID-Signature.

HTTP Headers Not Signed HTTP headers (other than the request method and target) are not included in the signing input. This means headers such as Content-Type, Authorization, and custom headers can be modified by an intermediary without invalidating the signature. The rationale is that ApertoID-Signature authenticates agent identity and binds it to a specific action and payload — it is not a general-purpose message integrity mechanism. TLS provides full message integrity in transit. Services requiring header integrity beyond what TLS provides SHOULD use HTTP Message Signatures in addition to ApertoID-Signature.

Clock Synchronization The timestamp-based validity window requires that agents and verifiers maintain reasonably synchronized clocks. Agents and verifiers SHOULD use NTP or equivalent time synchronization. Clock skew greater than the validity window will cause all requests to fail verification.

Nonce Cache Requirements Verifiers MUST maintain a nonce cache for the duration of the timestamp validity window. The cache MUST be shared across all verification instances if the service runs multiple processes or nodes. Failure to maintain a shared nonce cache allows replay attacks across processes. For services running on a single node, an in-memory cache is sufficient. For distributed services, a shared cache (e.g., Redis, Memcached) is RECOMMENDED.

Private Key Protection The agent's Ed25519 private key MUST be protected with the same care as any other signing key. It SHOULD be stored in a hardware security module (HSM), trusted platform module (TPM), or at minimum in encrypted storage with appropriate access controls. If the private key is compromised, the domain owner MUST immediately revoke the agent's DNS record per .

Signature Stripping An attacker who can intercept and modify HTTP requests could strip the ApertoID-Signature header entirely, causing the request to appear unsigned. Verifiers SHOULD query the agent's ApertoID policy record to determine whether the domain expects signed requests. If the policy specifies "p=reject", the verifier SHOULD reject unsigned requests from agents claiming to represent that domain.

Privacy Considerations The ApertoID-Signature header reveals the agent's domain (d=) and selector (s=) to the receiving service and to any intermediary that can observe HTTP headers. This is by design — the purpose of the header is to declare agent identity. However, domain owners should be aware that the same d= and s= values appear on all requests from the same agent, creating a correlation identifier that enables request tracking across time and endpoints. Services that observe ApertoID-Signature headers learn which domains are using AI agents and which specific agents are making requests. This information is inherent to the protocol's purpose and cannot be mitigated without defeating the protocol's goals. Domain owners who wish to limit correlation SHOULD rotate selectors periodically, though this requires publishing new DNS records.

IANA Considerations

HTTP Header Field Registration This document requests registration of the following HTTP header field in the "Hypertext Transfer Protocol (HTTP) Field Name Registry" maintained at <https://www.iana.org/assignments/http-fields>:

Field Name:

ApertoID-Signature

Status:

permanent

Structured Type:

N/A

Reference:

[this document]

References Normative References Informative References

Full Request/Response Example \n === Verifier checks === 1. Parse header: d=example.com, s=leadhunter 2. Timestamp 1711100000 within 300s of now: OK 3. Nonce a1b2c3d4e5f6 not in cache: OK, cache it 4. DNS: _apertoid.example.com -> policy p=reject 5. DNS: leadhunter._apertoid.example.com -> pk=MCow... 6. exp= not passed: OK 7. Reconstruct signing_input with method=POST, target=/mcp/tools/search, body_hash=sha256(body) 8. Ed25519 verify sig against signing_input with pk: OK 9. Result: pass === Same signature replayed to DELETE endpoint === DELETE /mcp/data/all HTTP/1.1 ApertoID-Signature: d=example.com; s=leadhunter; t=1711100000; n=a1b2c3d4e5f6; sig=MEUCIQDx4f... (same signature) Verification FAILS at step 8: signing_input includes "DELETE" and "/mcp/data/all" which differs from original "POST" and "/mcp/tools/search" -> Ed25519 verify FAILS -> Result: sig_invalid ]]>

Implementation Guidance This appendix is non-normative. To maximize adoption, implementations SHOULD provide middleware or decorator patterns that require minimal code changes. Reference implementations in Python, Go, and JavaScript are maintained at https://github.com/ApertoID.

Acknowledgements The signing mechanism in this document was inspired by the DKIM signature scheme . The principle of binding signatures to specific request components follows the approach established by HTTP Message Signatures , adapted for the single-purpose case of AI agent identity verification with DNS-based key discovery.