All authenticated operations are signed by the cloud agent’s Ed25519 key. The signature is carried in a top-level request_signature field of type MessageSignature, computed over a canonical encoding of the request payload.
MessageSignature
The server responds with its own response_signature (signed by the provider’s key) so that clients can verify response integrity end-to-end.
Which methods require a signature
Session lifetime
GetServiceInfo returns session_ttl_secs, the maximum age of a signed session before the server refuses it. Rotate your signatures well before the TTL expires.
Never transmit your Ed25519 private key. All signing must happen on the agent side; the ledger service only ever sees public keys and signatures.