RFC 9421 HTTP Message Signatures
Resonance supports RFC 9421 HTTP Message Signatures with Ed25519 for payment network compliance. This is the shared authentication standard used by:
- Visa Trusted Agent Protocol (TAP)
- Mastercard Agent Pay
- Cloudflare Web Bot Auth
Triple Auth Model
Resonance supports three auth methods that can be combined:
| Method | Purpose | Headers |
|---|---|---|
| RFC 9421 (Ed25519) | Payment network identity | Signature, Signature-Input, Content-Digest |
| HMAC-SHA256 | Agent/brand identity | X-RSNC-Agent-Key, X-RSNC-Timestamp, X-RSNC-Signature |
| OAuth 2.0 | User identity | Authorization: Bearer <token> |
When to use each
- RFC 9421 — When transacting through Visa/Mastercard payment networks
- HMAC — For direct Resonance API access (brand management, loyalty queries)
- OAuth — For user-linked operations (check balance on behalf of user)
How It Works
Signing Requests
Every signed request includes two headers:
Signature-Input: sig1=("@method" "@path" "@authority" "content-digest");
created=1709510400;expires=1709510880;
keyid="https://agent.rsnc.network/.well-known/jwks";
alg="ed25519";nonce="abc123";tag="agent-browser-auth"
Signature: sig1=:base64-encoded-ed25519-signature:
Covered Components
| Component | Value |
|---|---|
@method | HTTP method (e.g., POST) |
@path | URL path (e.g., /tasks/send) |
@authority | Host (e.g., agent.rsnc.network) |
content-digest | SHA-256 digest of request body |
Tags
Tags distinguish the intent of the request:
| Tag | Purpose |
|---|---|
agent-browser-auth | Catalog browsing and discovery |
agent-payer-auth | Payment transactions |
Parameters
| Parameter | Description | Required |
|---|---|---|
created | Unix timestamp when signature was created | Yes |
expires | Unix timestamp when signature expires | No |
keyid | URL to fetch the signer's public key (JWKS) | Yes |
alg | Signature algorithm (must be ed25519) | Yes |
nonce | Unique value for replay prevention | No |
tag | Intent tag | No |
JWKS Discovery
Resonance publishes its Ed25519 public key at:
curl https://agent.rsnc.network/.well-known/jwks
Response:
{
"keys": [{
"kty": "OKP",
"crv": "Ed25519",
"x": "<base64url-encoded-public-key>",
"kid": "rsnc-agent-prod-2026",
"use": "sig",
"alg": "EdDSA"
}]
}
Verification Steps
When Resonance receives a signed request, it performs 7 verification steps:
- Confirm
Signature-InputandSignatureheaders are present - Retrieve the signer's public key via the
keyidURL - Validate timestamps within the created/expires window (8 minutes)
- Check nonce uniqueness (replay prevention via KV)
- Validate the
tagfield if present - Reconstruct the canonical signature base per RFC 9421
- Verify the Ed25519 cryptographic signature
Usage Example
Signing a Request (Payment Network Agent)
# The Signature-Input and Signature headers are computed by the agent's
# signing library using its Ed25519 private key.
curl -X POST https://agent.rsnc.network/tasks/send \
-H "Content-Type: application/json" \
-H "Content-Digest: sha-256=:base64hash=:" \
-H 'Signature-Input: sig1=("@method" "@path" "@authority" "content-digest");created=1709510400;keyid="https://example.com/.well-known/jwks";alg="ed25519";tag="agent-browser-auth"' \
-H "Signature: sig1=:base64signature=:" \
-d '{
"message": {
"role": "user",
"parts": [{
"type": "data",
"mimeType": "application/json",
"data": {
"skill": "route_purchase",
"intent": "running shoes",
"purchaseAmount": 150
}
}]
}
}'
Combined Auth (RFC 9421 + OAuth)
RFC 9421 identifies the agent, OAuth identifies the user:
curl -X POST https://agent.rsnc.network/tasks/send \
-H "Content-Type: application/json" \
-H "Authorization: Bearer <user-jwt>" \
-H "Content-Digest: sha-256=:base64hash=:" \
-H 'Signature-Input: sig1=("@method" "@path" "@authority" "content-digest");created=1709510400;keyid="https://example.com/.well-known/jwks";alg="ed25519";tag="agent-payer-auth"' \
-H "Signature: sig1=:base64signature=:" \
-d '...'
Payment Network Compliance
Visa Trusted Agent Protocol (TAP)
Visa publishes payment network public keys at https://mcp.visa.com/.well-known/jwks. Our agent verifies inbound Visa-signed requests using these keys.
Mastercard Agent Pay
Mastercard uses the same RFC 9421 foundation via Cloudflare Web Bot Auth. Agent registration through Mastercard's "Know Your Agent" (KYA) program is required for production access.
Cloudflare Web Bot Auth
Both Visa TAP and Mastercard Agent Pay are implemented at the CDN layer through Cloudflare's Web Bot Auth infrastructure. Our Cloudflare Workers deployment is natively compatible.
Configuration
| Variable | Description | Required |
|---|---|---|
ED25519_PRIVATE_KEY | Base64-encoded PKCS8 Ed25519 private key | Yes (for signing) |
ED25519_KEY_ID | Key ID in JWKS (default: rsnc-agent-prod-2026) | No |