> ## Documentation Index
> Fetch the complete documentation index at: https://agenticadvertisingorg-snap-format-preview-links.mintlify.site/llms.txt
> Use this file to discover all available pages before exploring further.

# L1 — Identity & signing

> Identity-and-signing layer of the AdCP stack. RFC 9421 HTTP message signatures, public-key resolution, replay-window enforcement, key rotation.

L1 cryptographically verifies that the request came from who the headers claim it did, and that the body wasn't modified in transit. RFC 9421 HTTP message signatures with replay-window enforcement and key rotation. Symmetric on both sides — agents verify inbound and sign outbound webhooks; callers sign outbound and verify inbound webhooks.

## What an SDK at L1 must provide

If you're picking an SDK or porting one to a new language, this is the L1 build target:

* **RFC 9421 message-signature signing** for outbound requests.
* **RFC 9421 verification** for inbound requests, including replay-window enforcement on `created` / `expires` and `keyid`-based key lookup.
* **A pluggable signing-provider abstraction** — in-process keys for development, KMS / HSM providers for production.
* **Test fixtures or a verifier-test harness** so adopters can assert their signing wiring is correct without booting a full agent.

For the cumulative cross-layer story (what L0+L1 buys you), see the [SDK stack reference](/docs/building/cross-cutting/sdk-stack#l1--identity--signing).

## Pages in this layer

* **[Security implementation profile](/docs/building/by-layer/L1/security)** — RFC 9421 wire details, KMS integration, replay-window tuning.
* **[Webhook verifier tuning](/docs/building/by-layer/L1/webhook-verifier-tuning)** — clock-skew handling, key-rotation transitions, signature failure diagnostics.
