OpenChainGraph Suite · ART-129 · wave 24

Web Bot Auth Signature Verifier (RFC 9421)

Reconstruct the RFC 9421 HTTP Message Signature base from caller-supplied covered components and verify the Ed25519 signature against a caller-supplied public key — zero network. Checks alg=ed25519, tag=web-bot-auth, and freshness window.

RFC 9421Web Bot AuthEd25519Visa TAPMC Agent PayW3C VC §13.11Zero PIIClient-side only

🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only.

Scope

Root stage of the agent-identity-verification chain (art-129→130→131). Reconstructs the RFC 9421 §2.5 signature base (one line per covered component, terminated by @signature-params), then verifies the Ed25519 signature via WebCrypto. Policy checks: alg must be ed25519, signature_params must carry tag="web-bot-auth", and the age (now_unix − created) must be within max_age_s. All inputs caller-supplied — no network fetch. ACCEPT/REFUSE verdict feeds the signatures-directory validator (art-130).

Presets

Covered Components

Covered Components JSON array of {name, value} pairs

Signature-Params Inner List RFC 9421 §2.5 — the full @signature-params value

Signature (base64) value of the Signature header

Public Key JWK Ed25519 verify key — OKP kty, crv=Ed25519, x

Algorithm policy — must be ed25519

Expected Tag policy — default web-bot-auth

Created (unix) from signature-params created=

Now (unix) caller-supplied current time

Max Age (s) default 3600

Result

Execution Hash & §4 Artifact

SHA-256 execution hash (JCS canonical — RFC 8785):

Chain Handoff → art-130

Pass the execution_hash above as parent_hashes[0] when calling validate_signature_directory (art-130) to continue the agent-identity-verification chain.