From 01082e77500f801bb6fcebc3907474a9b6b49515 Mon Sep 17 00:00:00 2001 From: timedout Date: Tue, 21 Apr 2026 19:24:57 +0100 Subject: [PATCH] Clarify when the `event_id` domain needs a signature --- content/server-server-api.md | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/content/server-server-api.md b/content/server-server-api.md index a94e066a..9dda3396 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -1492,9 +1492,12 @@ signature](/appendices#checking-for-a-signature). Note that this step should succeed whether we have been sent the full event or a redacted copy. -Unless the event is a 3rd party invite, only the signature(s) from the -originating server (the server the `sender` belongs to) are required for -verification. If a signature is from an unknown or expired key, it is skipped. +For room versions 3 and later, unless the event is a 3rd party invite, only the +signature(s) from the originating server (the server the `sender` belongs to) +are required for verification. Room versions 1 and 2 also require that a +signature is present from the domain in the `event_id`, if it differs from the +originating server. If a signature is from an unknown or expired key, it is +skipped. If the event is a 3rd party invite, the sender must already match the 3rd party invite, and the server which actually sends the event may be a different