RFC 9421 Signature Decoder & Web Bot Auth Readiness
HTTP Message Signatures (RFC 9421) are how an automated agent proves who it is — the shared substrate under Web Bot Auth and Visa's Trusted Agent Protocol. This tool parses and validates Signature-Input / Signature headers, lints a Web Bot Auth JWKS directory (Ed25519), and scores your Web Bot Auth readiness.
⚠ Web Bot Auth is an active IETF draft (a working group was chartered in early 2026); details may change. This tool parses the structured-field syntax and checks policy — it does not perform cryptographic signature verification (no key operations run in the browser).
RFC 9421Web Bot Auth · Ed25519Zero PIIClient-Side · No Network
Scope & reliance —🔒 All inputs are processed locally in your browser. No data is transmitted. Do not enter real personal data — use synthetic or anonymised inputs only. Parsing and policy checks only — this tool does not verify the cryptographic signature against a key. Paste only public keys / header structures, never private keys. Deterministic · zero PII · CC BY 4.0.
▸ Decode Signature-Input / Signature (RFC 9421)
Paste the two header values. The covered components, parameters, freshness, and replay protection are checked. Examples are pre-loaded.
▸ Lint a Web Bot Auth key directory
Paste the JWKS served at /.well-known/http-message-signatures-directory. Web Bot Auth expects Ed25519 (OKP) keys.
▸ Web Bot Auth readiness
Answer for your agent. Web Bot Auth = Ed25519 keypair + JWKS published at the well-known directory + every request signed per RFC 9421 + a registry entry.