Skip to main content

HTTP Signatures

To guarantee integrity, authenticity, and non-repudiation of API communication, Nopan requires all requests to be digitally signed.
Every response from Nopan is also signed, so that you can validate its origin and content.

This ensures that:

  • Requests cannot be tampered with in transit.
  • Responses are verified as truly coming from Nopan.
  • Replay attacks and forgery attempts are mitigated.

How it works

  1. Request Signing
    Every request you send is signed with your private key. The signature covers specific request components (headers, body digest, pseudo-headers).

  2. Response Validation
    Every response from Nopan is signed with Nopan’s private key. You validate it using the public key we provide.

  3. Shared Trust Model

    • You share your public key with Nopan.
    • Nopan shares its public key with you.
    • Both sides use private keys only for signing; public keys are for verification.

Where to go next

Request Signing

Step-by-step guide to building a signature base and attaching it to your API requests.

Learn more →

Response Validation

How to verify signatures returned by Nopan responses to ensure authenticity and integrity.

Learn more →

Understanding Signatures

Learn how signature inputs, canonicalization, and algorithms work under the hood.

Learn more →