Skip to main content
Version: 1.0.0

RTGS.global Signing API

Overview

The RTGS.global Signing API generates and verifies digital signatures. These signatures are expected to be transferred as metadata with all JSON messages sent and received over the RTGS.global Participant Gateway API.

A valid signature guarantees that a message payload has not been modified. This means that any message associated with a signature is case-sensitive and sensitive to all whitespace, including spaces, tabs, and new lines.

Note: A valid signature is only a guarantee of message integrity, not of message validity. Validation and error checking must still be performed.

Signing

A signature can only be generated if you have an existing connection/relationship with the intended recipient (indicated by the SignFor RTGS.global Id).

The private decentralised identity (Did) keypair is used to generate a signature that only the recipient can verify. The ED25519 algorithm is used to generate a signature based on the request payload and associated metadata (path, method, timestamp etc).

Verifying

As with signing, verification only succeeds if you have an existing connection/relationship with the intended recipient.

The message payload (if applicable) must exactly match the string that was signed; including all whitespace, tabs, new lines etc.

Note: You cannot verify your own generated signatures. Only the intended recipient of the message has the ability to verify.

Interaction with RTGS.global Participant Gateway API

Synchronous requests/responses

When interacting with the Gateway API, a signature must be included in the Headers of HTTP requests.

The header key will be rtgs-global-sig and the value will be the signature itself. The recipient (either RTGS.global or another participant on the network) will verify this value before carrying out any actions. In turn, you are expected to verify the signature of any responses before processing them further.

Asynchronous responses

The messages will be delivered using the CloudEvent v1.0 schema and the signature will be present within the Attributes collection.

The payload is provided in the data_base64 property of the CloudEvent. This value must be base64-decoded before the payload can be used or verified.

Processing checklist (CloudEvent):

  • Validate required attributes (specversion, id, source, type, datacontenttype).
  • Ensure datacontenttype is text/plain.
  • Confirm verificationmaterialtype is rtgs-global-sig.
  • Extract the verificationmaterial attribute (signature value).
  • Base64-decode data_base64 to a UTF-8 string.
  • Verify the signature against the exact decoded string (before parsing).
  • If verification succeeds, parse and process the payload; otherwise reject/log the event.

Note: Signature verification must always be performed against the literal decoded string.
Any transformation during parsing or deserialization (such as JSON decoding, whitespace changes, or newline conversion) will alter the string and cause verification to fail.