Accept-Signature
The HTTP Accept-Signature request or response header signals willingness to accept HTTP Message Signatures and communicates preferences for signature algorithms, covered components, and metadata parameters.
Usage
The Accept-Signature header enables negotiation of message signatures for subsequent communications in an HTTP exchange. Before sending signed messages, a client or server uses this header to indicate signature requirements and preferences. The receiving party then applies signatures to future requests or responses according to the specified parameters.
This negotiation mechanism supports opportunistic and application-driven message signatures. A server responding with Accept-Signature tells the client which signature parameters to use on the next request. A client sending Accept-Signature communicates what signature formats and algorithms the client expects on responses.
The header works alongside Signature and Signature-Input headers, which carry the actual signature values and metadata. Accept-Signature precedes these by establishing agreement on signature format before transmission.
The header is part of the HTTP Message Signatures framework, which provides a mechanism for creating, encoding, and verifying digital signatures or message authentication codes over HTTP message components.
Note
HTTP Message Signatures is a Proposed Standard with limited real-world deployment. Most production HTTP traffic does not use message-level signatures. Adoption is concentrated in high-assurance API environments and financial services where message integrity verification is a regulatory or contractual requirement.
Directives
The Accept-Signature header value is a Dictionary structure containing one or more named signature preference sets. Each entry specifies parameters the sender expects or prefers in subsequent signed messages.
The inner list of each Dictionary entry contains the covered
components: quoted strings identifying which parts of the HTTP
message must be signed. Component identifiers like "@method",
"@authority", "@path", and "content-digest" reference
specific message parts. Parameters on the Dictionary entry, such
as alg, specify the required signature algorithm.
The structure follows the Dictionary format defined by Structured Field Values for HTTP, allowing machine-parseable negotiation of signature requirements.
Example
A server responding with Accept-Signature to indicate the server accepts signed requests on subsequent interactions. The client reads this signal and applies the specified signature format to the next request in the exchange.
Accept-Signature: sig1=("@method" "@authority" "@path" "content-digest"); alg="rsa-pss-sha512"
Takeaway
The Accept-Signature header enables negotiation of HTTP Message Signatures by communicating signature preferences before signed messages are transmitted, establishing agreement on algorithms and covered components for subsequent requests or responses.