Pseudonymous Agent

← Back to index

HWK (Header Web Key) Scheme

Pseudonymous authentication in AAuth uses the Header Web Key (HWK) scheme (scheme=hwk). The signing key is included in the request headers rather than resolved from a well-known URL. The resource verifies the signature using the key from the header but has no way to correlate requests to a persistent agent identity.

Scheme	Identity	Use case
hwk	Pseudonymous	Lightweight verification, rate limiting, abuse prevention
jwks	Identified	Verified agent identity via published keys

Configuration

In this demo, agents and the backend can be configured for HWK (pseudonymous) or JWKS (identified) via AAUTH_SIGNATURE_SCHEME:

• hwk – Header Web Key (pseudonymous)
• jwks – Identified agent with published JWKS

See Agent Identity with JWKS for the identified agent flow.

Run the components

Run each component in a separate terminal. From each directory:

Backend Agentgateway Supply-chain-agent Market-analysis

From the backend directory:

      > uv run . --signature-scheme hwk
    

From the agentgateway directory:

      > agentgateway -f agentgateway/config.yaml.hwk
    

From the supply-chain-agent directory:

      > cp env.hwk .env
      > uv run .
    

From the market-analysis-agent directory:

      > cp env.hwk .env
      > uv run .
    

Progressive Authentication

Resources use the Agent-Auth response header to request different authentication levels. Pseudonymous signatures satisfy the lowest level of proof—useful for:

• Allowing signed traffic while blocking unsigned abuse
• Progressive rate limiting (stricter for unsigned, more lenient for signed)
• Avoiding registration bottlenecks in dynamic agent ecosystems

---