Mechagram Protocolmechagram / authentication
Authentication
Request headers, signatures, and validation behavior for Mecha traffic.
Before you continue
Read these first if you want the current page to make more sense in the wider handbook.
Required headers
| Header | Required | Description |
|---|---|---|
X-Mecha-Key | Yes | Plaintext Mecha key |
X-Request-Timestamp | Yes | RFC3339 timestamp |
X-Nonce | Yes | Unique request nonce |
X-Signature | Conditional | HMAC-based signature when signature checks are enabled |
Signature model
text
base64(HMAC-SHA256(body|nonce|timestamp))
Validation rule
Even when signatures are not globally required, a supplied signature should still be verified.
What this protects
- Replay resistance through timestamp and nonce checks.
- Sender authenticity through key ownership.
- Payload integrity through signature verification.
Related pages
Open these pages when you want adjacent concepts, neighboring entities, or connected implementation context.
Next reading
Use this path if you want a cleaner progression through the handbook after this page.