Message Signatures

Message signatures can be defined globally or per-subgraph.


[gateway.message_signatures]
enabled = true
key.file = "key.json"
key.id = "my-key"
algorithm = "ed25519"
headers.include = ["content-type", "content-length"]
headers.exclude = ["authorization"]
derived_components = ["method", "target_uri"]
signature_parameters = ["nonce"]
expiry = "10s"

enabled: Enables or disables message signatures. Default value is false.
key.file: Specifies the path to the JSON file that contains the key pair. The file should either be a JSON file containing a JWK, or a PEM file containing a PKCS#8 private key.
key.id: Specifies the key ID, which will be included as a signature parameter when signing. If possible this ID will be determined from the provided key file, but it can also be set anually.
algorithm: Specifies the algorithm used for signing. Possible values are ed25519, hmac-sha256, ecdsa-p256-sha256, and ecdsa-p384-sha384. Default is the algorithm on the key file rovided.
headers.include: Specifies the headers that should be included in the signature. Defaults to all headers being included.
headers.exclude: Specifies the headers that should be excluded from the signature. This setting takes precedence over include. Defaults to no headers being excluded.
derived_components: Specifies the components that should be included in the signature. Possible values are the HTTP method (method), the full URL of the request (target_uri), the ostname of the requests target URL (authority), the scheme of the requests target URL (scheme), the request-target of he request (request_target), and the absolute path of the request URL (path). Defaults value is ["request_target"].
signature_parameters: Specifies the parameters that should be included in the signature. Currently the only possible value is nonce, which includes a random nonce in every requests ignature. Defaults to [].
expiry: Specifies the duration after which a signature is considered expired. Defaults to no expiry.