From a6112535bf5a760b74f78080b21e2da025b7bc66 Mon Sep 17 00:00:00 2001 From: Logan Devine Date: Tue, 10 Mar 2026 11:34:47 -0700 Subject: [PATCH] clarification: add link to JSON signing algorithm on federation auth section (#2329) Signed-Off-By: Logan Devine logan@zirco.dev --- .../client_server/newsfragments/2329.clarification | 1 + content/server-server-api.md | 12 ++++++------ 2 files changed, 7 insertions(+), 6 deletions(-) create mode 100644 changelogs/client_server/newsfragments/2329.clarification diff --git a/changelogs/client_server/newsfragments/2329.clarification b/changelogs/client_server/newsfragments/2329.clarification new file mode 100644 index 00000000..f3008f40 --- /dev/null +++ b/changelogs/client_server/newsfragments/2329.clarification @@ -0,0 +1 @@ +Add link to JSON signing algorithm in server-server auth section for clarity. Contributed by @thetayloredman. diff --git a/content/server-server-api.md b/content/server-server-api.md index bc393ae9..50104ed5 100644 --- a/content/server-server-api.md +++ b/content/server-server-api.md @@ -277,12 +277,12 @@ queried from multiple servers to mitigate against DNS spoofing. Every HTTP request made by a homeserver is authenticated using public key digital signatures. The request method, target and body are signed -by wrapping them in a JSON object and signing it using the JSON signing -algorithm. The resulting signatures are added as an Authorization header -with an auth scheme of `X-Matrix`. Note that the target field should -include the full path starting with `/_matrix/...`, including the `?` -and any query parameters if present, but should not include the leading -`https:`, nor the destination server's hostname. +by wrapping them in a JSON object and signing it using the [JSON signing +algorithm](/appendices#signing-json). The resulting signatures are added +as an Authorization header with an auth scheme of `X-Matrix`. Note that +the target field should include the full path starting with `/_matrix/...`, +including the `?` and any query parameters if present, but should not +include the leading `https:`, nor the destination server's hostname. Step 1 sign JSON: