|
104 | 104 |
|
105 | 105 | ### Configure |
106 | 106 | #### Edit configuration files |
107 | | -:information_source: Note that you’ll have to edit the following files for your setup: |
| 107 | +:information_source: Note that you'll have to edit the following files for your setup: |
108 | 108 |
|
109 | | -- fastly.toml (service ID, author, description) |
110 | | -- trusted-server.toml (KV store ID names - optional) |
| 109 | +- fastly.toml (service ID, author, description, Config/Secret Store IDs for request signing) |
| 110 | +- trusted-server.toml (KV store ID names - optional, request signing configuration) |
111 | 111 |
|
112 | 112 | ### Build |
113 | 113 |
|
@@ -153,6 +153,47 @@ cargo test |
153 | 153 | - `cargo check`: Ensure compilation succeeds on Linux, MacOS, Windows and WebAssembly |
154 | 154 | - `cargo bench`: Run all benchmarks |
155 | 155 |
|
| 156 | +## Request Signing |
| 157 | + |
| 158 | +Trusted Server supports cryptographic signing of OpenRTB requests and other API calls using Ed25519 keys. |
| 159 | + |
| 160 | +### Configuration |
| 161 | + |
| 162 | +Request signing requires Fastly Config Store and Secret Store for key management: |
| 163 | + |
| 164 | +1. **Create Fastly Stores** (via Fastly Control Panel or CLI): |
| 165 | + - Config Store: `jwks_store` - stores public keys (JWKs) and key metadata |
| 166 | + - Secret Store: `signing_keys` - stores private signing keys |
| 167 | + |
| 168 | +2. **Configure in trusted-server.toml**: |
| 169 | +```toml |
| 170 | +[request_signing] |
| 171 | +enabled = true # Set to true to enable request signing |
| 172 | +config_store_id = "<your-fastly-config-store-id>" # Config Store ID from Fastly |
| 173 | +secret_store_id = "<your-fastly-secret-store-id>" # Secret Store ID from Fastly |
| 174 | +``` |
| 175 | + |
| 176 | +### Key Management Endpoints |
| 177 | + |
| 178 | +Once configured, the following endpoints are available: |
| 179 | + |
| 180 | +- **`GET /.well-known/ts.jwks.json`**: Returns active public keys in JWKS format for signature verification |
| 181 | +- **`POST /verify-signature`**: Verifies a signature against a payload and key ID (useful for testing) |
| 182 | + - Request body: `{"payload": "...", "signature": "...", "kid": "..."}` |
| 183 | + - Response: `{"verified": true/false, "kid": "...", "message": "..."}` |
| 184 | + |
| 185 | +#### Admin Endpoints (Key Rotation) |
| 186 | + |
| 187 | +- **`POST /admin/keys/rotate`**: Generates and activates a new signing key |
| 188 | + - Optional body: `{"kid": "custom-key-id"}` (auto-generates date-based ID if omitted) |
| 189 | + - Response includes new key ID, previous key ID, and active keys list |
| 190 | + |
| 191 | +- **`POST /admin/keys/deactivate`**: Deactivates or deletes a key |
| 192 | + - Request body: `{"kid": "key-to-deactivate", "delete": false}` |
| 193 | + - Set `delete: true` to permanently remove the key (also deactivates it) |
| 194 | + |
| 195 | +:warning: Key rotation keeps both the new and previous key active to allow for graceful transitions. Deactivate old keys manually when no longer needed. |
| 196 | + |
156 | 197 | ## First-Party Endpoints |
157 | 198 |
|
158 | 199 | - `/first-party/ad` (GET): returns HTML for a single slot (`slot`, `w`, `h` query params). The server inspects returned creative HTML and rewrites: |
|
0 commit comments