# Signing a JWS message source: https://developer.mastercard.com/account-to-account-commerce-for-dsp/documentation/tutorials-and-guides/jws-guide/signing-jws-message/index.md ## Sign a message using JWS {#sign-a-message-using-jws} This section describes the steps to sign a message using JWS. Note: Please note the code samples on this page are pseudo-code rather than deriving from any specific language or technology. #### 1. Identify the private key and associated signing certificate required for signing. {#1-identify-the-private-key-and-associated-signing-certificate-required-for-signing} The signer uses a private key that has a corresponding public key that is available to the verifier. #### 2. Form the JOSE header. The JOSE header for the signature must contain the following fields. {#2-form-the-jose-header-the-jose-header-for-the-signature-must-contain-the-following-fields} | Component | Description | |-----------|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| | `alg` | Cryptographic algorithm used for signing the JWS. | | `kid` | Key ID value that can be used as hint to look up the key in the key store. | | `iat` | Identifies the time at which the message was signed. It can be used to determine the age of the signature. Its value must be a number containing a NumericDate value (epoch timestamp generated based on UTC timestamp). Signer must always populate it. Verifier might choose to validate it to prevent replay attacks. | | `crit` | An array list indicating the additional headers used as an extention to the specification. It must contain `iat` in the array list. | The following is an example JOSE header: ```json { "alg":"PS256", "kid":"dPDsC+MS/R/4WMLG/VAfx+DUFTY=", "iat":"1610049192", "crit":["iat"] } ``` #### 3. Generate JWS {#3-generate-jws} ```Plain jws-signing-input = ASCII(BASE64URL(UTF8()) || '.' || BASE64URL()) jws-signature = sign(signer-private-key, ) jws-compact-serialization-detached = BASE64URL(UTF8()) || '.' || '.' || BASE64URL() ``` An HTTP header called `X-JWS-Signature` with the value set to **jws-compact-serialization-detached** is generated. #### 4. Add the JWS in HTTP header {#4-add-the-jws-in-http-header} The signer includes the HTTP header value generated in the previous step. ```Plain X-JWS-Signature=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRQRHNDK01TL1IvNFdNTEcvVkFmeCtEVUZUWT 0iLCJpYXQiOiIxNjEwMDQ5MTkyIiwiY3JpdCI6WyJpYXQiXX0..fDGLrG9K2ui-lN65ohb-cpffjJCRTwIHsr2TJ5RUbey4Ns95ZeTgLCsBnQ84nb4yJXm7_U8Ic2aES6gxQQoJvg6vvgs9tWZW9R5mvlUBYMfOHbjTin29 84T5HpZzrDrOIqEbeI18CNLjqSHaUCt0c_S6KBx0CxQ6sHXkX1X2BrCsVbgwzPoY42bGFEiKLmP8VGjd1TPzCdv7gAz amXy46aE7QF7u5Nzphr1cyVJPtVAJ4DMK-ttQwG-6PT3rqwJwf-NU_XOETnMnjQi_9HCisLC55miiKeQW1MLuIYzQv36PFQgzpnr9iqDS0k9oX1KZ8XHEi60smvOR7CnDzQ ```