Request-signing configuration for an agent. When present on an AgentConfig,
outbound MCP/A2A calls are gated by the seller's advertised
request_signing capability block (fetched once via get_adcp_capabilities
and cached): operations listed in required_for / supported_for (or
always_sign) are signed with this key per RFC 9421.
Content-digest coverage is resolved per request from the seller's
advertised covers_content_digest policy: required covers, forbidden
omits, either (or absent) covers by default — body-binding is the safer
choice and a seller advertising either has explicitly allowed both forms.
Two shapes, discriminated on kind:
'inline' (default) — private JWK held in process memory.
'provider' — delegates sign() to a SigningProvider so private
key material can live in a managed key store (GCP KMS, AWS KMS, etc.).
Request-signing configuration for an agent. When present on an AgentConfig, outbound MCP/A2A calls are gated by the seller's advertised
request_signingcapability block (fetched once viaget_adcp_capabilitiesand cached): operations listed inrequired_for/supported_for(oralways_sign) are signed with this key per RFC 9421.Content-digest coverage is resolved per request from the seller's advertised
covers_content_digestpolicy:requiredcovers,forbiddenomits,either(or absent) covers by default — body-binding is the safer choice and a seller advertisingeitherhas explicitly allowed both forms.Two shapes, discriminated on
kind:'inline'(default) — private JWK held in process memory.'provider'— delegatessign()to a SigningProvider so private key material can live in a managed key store (GCP KMS, AWS KMS, etc.).