Skip to main content

Signature Verification

Request signing and verification for application authentication.

Signature Process

TODO: Document signature process:

Signing (Application)

Create signature payload (method, timestamp, request hash)
Sign with private key
Include signature in request metadata

Verification (AppServer)

Extract signature from metadata
Validate certificate
Extract public key
Verify signature matches payload
Check timestamp within replay window

Replay Protection

Prevents replay attacks by checking request timestamps.

Replay Window

APPSERVER_SIGNATURE_REPLAY_WINDOW (default: 5m)
Requests older than window are rejected

Clock Skew Tolerance

APPSERVER_CLOCK_SKEW_TOLERANCE (default: 30s)
Allows for time differences between systems

Signature Algorithms

TODO: Document supported algorithms:

RSA-SHA256
ECDSA-SHA256

Best Practices

TODO: Document best practices:

Use NTP to sync clocks
Monitor replay window hits
Log signature failures
Rotate keys regularly

[App Authentication](../concepts/authentication-authorization.md#appauth context)
Certificate Management

Signature Process
- Signing (Application)
- Verification (AppServer)
Replay Protection
- Replay Window
- Clock Skew Tolerance
Signature Algorithms
Best Practices
Related Topics