Signatures

API Contracts supports optional RSA-SHA256 signatures.

Signature Envelope

{
  "signature": {
    "algorithm": "RSA-SHA256",
    "publicKeyId": "pine-2026",
    "value": "<base64>"
  }
}

Enabling

<PropertyGroup>
  <AISchemaSign>true</AISchemaSign>
  <AISchemaSigningPrivateKey>keys/signing.pem</AISchemaSigningPrivateKey>
</PropertyGroup>

Key Management

# Generate key pair
openssl genrsa -out signing.pem 2048
openssl rsa -in signing.pem -pubout -out signing.pub.pem

Verification

using ApiContracts.Verification;

bool valid = SchemaVerifier.VerifySignature(data, signatureBase64, publicKeyPem);
string sig = SchemaVerifier.SignData(data, privateKeyPem);