This chapter defines request signing, pairing, service keys, and caller identity for Dina-compatible authentication.
Authentication defines how a participant proves who it is.
A Dina-compatible authentication profile MUST support signed requests using Ed25519.
The canonical signing payload is:
METHOD
PATH
QUERY
TIMESTAMP
NONCE
SHA256_HEX(BODY)
The current reference implementation signs exactly this payload.
A draft normalized schema for signed-request interoperability lives in:
schemas/auth-envelope.jsonA signed HTTP request SHOULD carry:
X-DIDX-TimestampX-NonceX-SignatureX-Signature is the Ed25519 signature over the canonical payload.
A conforming implementation MUST protect against replay.
The reference implementation currently enforces:
A Dina-compatible Home Node SHOULD support device pairing as a bootstrap flow.
The reference implementation currently uses:
Pairing MAY result in either:
Internal or peer services MAY authenticate with distinct service Ed25519 keypairs.
This is already present in the reference implementation for Core-to-Brain and similar service paths.
The Dina protocol recognizes at least these auth modes:
The protocol SHOULD treat signature-based authentication as the primary interoperable profile.
Paired bearer tokens are acceptable as a bootstrap or compatibility profile, but SHOULD NOT be the normative long-term cross-implementation trust model.
A Dina-compatible implementation SHOULD propagate caller context containing at least:
This becomes important for: