Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.algovoi.co.uk/llms.txt

Use this file to discover all available pages before exploring further.

The AlgoVoi RFC 9421 verifier is a standalone reference implementation of RFC 9421 (HTTP Message Signatures) and RFC 9530 (Digest Fields for HTTP). It is standalone — a verifier can re-validate any RFC 9421-signed request against a known public key without trusting AlgoVoi’s gateway, signing service, or control plane.

Python (PyPI)

pip install algovoi-rfc9421-verifier

TypeScript (npm)

npm install @algovoi/rfc9421-verifier
Both packages are byte-deterministic on identical inputs. 24/24 cross-implementation agreements across 8 independent JCS implementations — the same attestation corpus that anchors the canonicalisation substrate. Apache 2.0.

Use cases

  • Inbound request verification — verify an RFC 9421-signed HTTP request against a known public key before processing it.
  • Proxy-chain re-validation — re-validate a captured request after it traverses a TLS-re-terminating proxy chain (the property pinned in the rfc9421_proxy_chain_v0 conformance fixture).
  • Conformance test harnesses — build test suites anchored to the RFC 8032 Section 7.1 deterministic Ed25519 reference keypair, byte-reproducible across both implementations.
  • A2A and x402 receipt validation — verify that incoming compliance receipts and settlement attestations carry valid HTTP signatures before inserting them into the audit chain.

What the verifier checks

#CheckWhat it proves
1Signature-Input parseHeader parses to a valid covered-component list with keyid, alg, and created parameters
2Content-Digest matchSHA-256 or SHA-512 digest of the request body matches the Content-Digest field (RFC 9530)
3Signature base reconstructionCanonical signature base rebuilt from covered components per RFC 9421 §2.5
4Key verificationEd25519 or ECDSA-P256 signature over the reconstructed base verifies against the supplied public key
5created freshnesscreated timestamp is within the caller-configurable freshness window (default: 300 s)

Quick start

Python

from algovoi_rfc9421_verifier import verify_request

result = verify_request(
    method="GET",
    authority="api.algovoi.co.uk",
    path="/compliance/attestation",
    headers={
        "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
        "signature-input": (
            'sig=("@method" "@authority" "@path" "content-digest" "created");'
            'created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"'
        ),
        "signature": (
            "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3"
            "zFhp0j8cLjmDJvGmySDBAQ==:"
        ),
    },
    body=b"",
    public_key="d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
)
assert result.valid

TypeScript

import { verifyRequest } from "@algovoi/rfc9421-verifier";

const result = await verifyRequest({
  method: "GET",
  authority: "api.algovoi.co.uk",
  path: "/compliance/attestation",
  headers: {
    "content-digest": "sha-256=:47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=:",
    "signature-input":
      'sig=("@method" "@authority" "@path" "content-digest" "created");created=1778955520;keyid="did:web:api.algovoi.co.uk";alg="ed25519"',
    signature:
      "sig=:Xj1peMjEYi75R/QQFYpU9q/gHwQKYwgt1etjAX1qc0zugTMJoJ86Uhy/jTZ175b3zFhp0j8cLjmDJvGmySDBAQ==:",
  },
  body: Buffer.from(""),
  publicKey: "d75a980182b10ab7d54bfed3c964073a0ee172f3daa62325af021a68f707511a",
});
console.assert(result.valid);

Cross-implementation parity

The Python and TypeScript verifiers produce byte-identical output on the same inputs. Parity is exercised against the RFC 8032 Section 7.1 Test 1 reference Ed25519 keypair:
  • Same Signature-Input parse output
  • Same signature base reconstruction bytes
  • Same Content-Digest computation (SHA-256 and SHA-512)
  • Same pass/fail verdict across all conformance fixtures
The rfc9421_proxy_chain_v0 vector set at the conformance vectors repository pins these properties byte-reproducibly. 24/24 cross-implementation agreements in the AlgoVoi attestation run dated 2026-05-24.

Algorithm support

AlgorithmIdentifierKey format
Ed25519ed2551932-byte hex or raw bytes
ECDSA-P256ecdsa-p256-sha256SEC1 compressed or uncompressed
Both algorithms produce deterministic signatures for deterministic inputs (Ed25519 uses RFC 8032 deterministic nonce; ECDSA-P256 uses RFC 6979 deterministic nonce).

Composition with the compliance stack

The verifier composes with the JCS canonicalisation substrate. A compliance receipt or settlement attestation emitted by AlgoVoi’s gateway carries an RFC 9421 signature over its HTTP delivery. A downstream verifier can:
  1. Verify the HTTP signature to confirm the receipt was issued by the declared keyid DID.
  2. Verify the content_hash of the receipt body using the audit verifier.
This two-layer verification confirms both origin (HTTP signature) and tamper-evidence (JCS hash chain) without trusting any single AlgoVoi endpoint.

Conformance vectors

The rfc9421_proxy_chain_v0 fixture set at algovoi-jcs-conformance-vectors covers:
  • Baseline signing and verification round-trip (Ed25519 + ECDSA-P256)
  • Proxy chain re-validation after TLS re-termination
  • Content-Digest computation for empty and non-empty bodies
  • created freshness window enforcement
  • Covered-component ordering invariants

See also