# Message Signatures Message signatures can be defined globally or [per-subgraph](#per-subgraph-message-signatures). ```toml [gateway.message_signatures] enabled = true key.file = "key.json" key.id = "my-key" algorithm = "ed25519" headers.include = ["content-type", "content-length"] headers.exclude = ["authorization"] derived_components = ["method", "target_uri"] signature_parameters = ["nonce"] expiry = "10s" ``` - `enabled`: Enables or disables message signatures. Default value is `false`. - `key.file`: Specifies the path to the JSON file that contains the key pair. The file should either be a JSON file containing a JWK, or a PEM file containing a PKCS#8 private key. - `key.id`: Specifies the key ID, which will be included as a signature parameter when signing. If possible this ID will be determined from the provided key file, but it can also be set anually. - `algorithm`: Specifies the algorithm used for signing. Possible values are `ed25519`, `hmac-sha256`, `ecdsa-p256-sha256`, and `ecdsa-p384-sha384`. Default is the algorithm on the key file rovided. - `headers.include`: Specifies the headers that should be included in the signature. Defaults to all headers being included. - `headers.exclude`: Specifies the headers that should be excluded from the signature. This setting takes precedence over `include`. Defaults to no headers being excluded. - `derived_components`: Specifies the components that should be included in the signature. Possible values are the HTTP method (`method`), the full URL of the request (`target_uri`), the ostname of the requests target URL (`authority`), the scheme of the requests target URL (`scheme`), the [request-target](https://datatracker.ietf.org/doc/html/rfc9421#name-request-target) of he request (`request_target`), and the absolute path of the request URL (`path`). Defaults value is `["request_target"]`. - `signature_parameters`: Specifies the parameters that should be included in the signature. Currently the only possible value is `nonce`, which includes a random nonce in every requests ignature. Defaults to `[]`. - `expiry` ([duration](https://grafbase.com/docs/gateway/configuration/durations.md)): Specifies the duration after which a signature is considered expired. Defaults to no expiry. Read more about [Message Signatures](https://grafbase.com/docs/gateway/security/message-signatures.md).