> ## Documentation Index
> Fetch the complete documentation index at: https://docs.modo.link/llms.txt
> Use this file to discover all available pages before exploring further.

# Authentication

> Ed25519 message-level signing for agent requests

All authenticated operations are signed by the **cloud agent's Ed25519 key**. The signature is carried in a top-level `request_signature` field of type [`MessageSignature`](#messagesignature), computed over a canonical encoding of the request payload.

## MessageSignature

```proto theme={null}
message MessageSignature {
  string public_key = 1;   // Ed25519 public key (hex)
  string signature  = 2;   // Ed25519 signature (hex)
  bytes  payload    = 3;   // canonical payload that was signed
}
```

The server responds with its own `response_signature` (signed by the provider's key) so that clients can verify response integrity end-to-end.

## Which methods require a signature

| Method                                                                                                                                                                                                                                                                                                                                               | Signed                               |
| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------ |
| [`GetServiceInfo`](/agentic-api/core/get-service-info), [`GetLedgerEnd`](/agentic-api/core/get-ledger-end), [`GetDsoRates`](/agentic-api/core/get-dso-rates)                                                                                                                                                                                         | No                                   |
| [`GetAgentConfig`](/agentic-api/onboarding/get-agent-config)                                                                                                                                                                                                                                                                                         | No                                   |
| [`GetBalances`](/agentic-api/core/get-balances), [`GetAmulets`](/agentic-api/core/get-amulets), [`GetActiveContracts`](/agentic-api/core/get-active-contracts), [`GetUpdates`](/agentic-api/core/get-updates), [`GetPreapprovals`](/agentic-api/preapproval/get-preapprovals), [`GetSettlementContracts`](/agentic-api/dvp/get-settlement-contracts) | Yes (session token)                  |
| [`PrepareTransaction`, `ExecuteTransaction`](/agentic-api/transaction-flow)                                                                                                                                                                                                                                                                          | Yes (Ed25519)                        |
| [`RegisterAgent`](/agentic-api/onboarding/register-agent), [`GetOnboardingStatus`](/agentic-api/onboarding/get-onboarding-status), [`SubmitOnboardingSignature`](/agentic-api/onboarding/submit-onboarding-signature)                                                                                                                                | Yes (Ed25519 — proves key ownership) |

## Session lifetime

[`GetServiceInfo`](/agentic-api/core/get-service-info) returns `session_ttl_secs`, the maximum age of a signed session before the server refuses it. Rotate your signatures well before the TTL expires.

<Warning>
  Never transmit your Ed25519 private key. All signing must happen on the agent side; the ledger service only ever sees public keys and signatures.
</Warning>
