signet-http

RFC 9421 HTTP Message Signatures for Rust — framework-agnostic, with first-class support for reqwest and actix-web.

---

What is this?

signet-http is a Rust library implementing RFC 9421 — HTTP Message Signatures, the IETF standard for cryptographically signing and verifying HTTP requests and responses.

It is designed to be:

• Framework-agnostic at the core — no dependency on any specific HTTP client or server
• Ergonomic for reqwest users via a signing middleware
• Ergonomic for actix-web users via a verification middleware
• Feature-flagged — pull in only the integrations you need
• Correct — validated against the official RFC 9421 test vectors

---

Why does this exist?

Open Payments — the open standard for payment interoperability — requires RFC 9421 HTTP Message Signatures to secure every API request. Before any payment is initiated, the HTTP request must be cryptographically signed. The receiver verifies that signature before processing anything.

When building Pelikuni Wallet, a digital wallet in Rust, I hit this wall directly. Integrating Open Payments meant implementing RFC 9421 — and the Rust ecosystem had no production-ready solution for the HTTP clients and frameworks developers actually use.

One crate exists — httpsig-rs — but it is architecturally coupled to the hyper HTTP library, has no support for RSA signatures by design, and provides no integration path for reqwest or actix-web. Developers building payment systems in Rust with these frameworks are left to implement this security primitive themselves, which is complex, error-prone, and has nothing to do with their actual product.

signet-http fills that gap.

---

Planned Features

Core library

• Signing and verifying HTTP request and response messages per RFC 9421
• Algorithm support: Ed25519, HMAC-SHA256, RSA-PSS, ECDSA P-256
• Covered component selection — headers and derived components (@method, @path, @authority, @target-uri, etc.)
• Signature parameters — created, expires, nonce, keyid, alg, tag
• Validated against official RFC 9421 test vectors

Framework integrations (feature-flagged)

• reqwest — signing middleware for outgoing HTTP requests
• actix-web — verification middleware for incoming HTTP requests

Open Payments alignment

• Tested against the Open Payments sandbox
• Integration example using Pelikuni Wallet as a real-world reference

---

Planned API (subject to change)

use signet_http::{SigningConfig, Algorithm, KeyId};
use signet_http::reqwest::SigningMiddleware;

// Build a signing config
let config = SigningConfig::new(
    KeyId::from("my-key-id"),
    Algorithm::Ed25519,
    private_key,
)
.covered_components(["@method", "@path", "@authority", "content-type"])
.expires_in(Duration::from_secs(300));

// Wrap a reqwest client
let client = reqwest::Client::builder()
    .middleware(SigningMiddleware::new(config))
    .build()?;

// Every request is now signed automatically
let response = client.post("https://api.example.com/payments")
    .json(&payload)
    .send()
    .await?;

---

Relationship to httpsig-rs

signet-http is not a fork of httpsig-rs. It is a complementary library targeting the use cases that httpsig-rs deliberately does not cover — specifically reqwest and actix-web integrations, RSA support, and Open Payments alignment. Where httpsig-rs is a lower-level building block for hyper-based stacks, signet-http is designed for developers who want RFC 9421 compliance in an existing application with minimal friction.

---

Project Status

Pre-development. The library is planned for active development starting September 2026, funded in part by the Interledger Foundation SDK Grant Program.

The timeline:

Phase	Period	Milestone
Phase 1	Weeks 1–3	Core signing engine, Ed25519 + HMAC-SHA256, published to crates.io as 0.1.0
Phase 2	Weeks 4–7	RSA-PSS + ECDSA P-256, reqwest middleware, actix-web middleware, Open Payments sandbox validation
Phase 3	Weeks 8–10	Full docs.rs documentation, worked examples, Pelikuni Wallet integration, stable 1.0.0 release

If you are building something in Rust that needs RFC 9421 support and want to follow progress or contribute, watch this repo or open an issue to start a conversation.

---

Motivation & Context

This library is part of a broader effort to make Open Payments accessible to Rust developers — particularly those building payment infrastructure in the Global South, where interoperable, low-cost payment systems matter most.

The companion project, Pelikuni Wallet, will serve as the primary integration target and real-world validation of this library.

---

Contributing

The project is not yet accepting code contributions — development hasn't started. However, if you:

• Have experience with RFC 9421 implementations in other languages
• Are building something in Rust that would benefit from this library
• Want to discuss the API design before development begins

Open an issue. Early feedback on the API shape is especially valuable before the first line of code is written.

---

License

Licensed under either of:

• Apache License, Version 2.0 (LICENSE-APACHE)
• MIT License (LICENSE-MIT)

at your option. This is the standard Rust dual license and is consistent with the broader ecosystem.

---

Author

Kelechi Ebiri — backend engineer and open-source contributor.

• GitHub: @TG199
• Pelikuni Wallet: github.com/TG199/Pelikuni