Response Signing
Ed25519 + HMAC verification — required for C++ and recommended for all clients.
Why signing matters
Without signature verification, attackers can spoof API responses with fake "success" JSON. Signing ensures responses came from your server.
Response Headers
| Header | Description |
|---|---|
X-Signature-Timestamp | Unix time included in signed message |
X-Signature-Ed25519 | Hex Ed25519 signature of timestamp + body |
signature | HMAC-SHA256 of body using app secret |
Public Key
Auto-generated on first API call. Copy from:
- https://libreauth.nutexe.dev/health →
sign_public - SDK Portal
- Init response →
pubkeyfield
58cd1baa23130577649b4f2ddb69f10e224fa761ed7cf7ac2e79c8f4c8a95b79C++ Setup
Replace get_public_key_hex() in auth.cpp with your key above. Rebuild exe.
INFO
Full guide: C++ Client Setup
PHP Setup
$LibreAuthPublicKey = '58cd1baa23130577649b4f2ddb69f10e224fa761ed7cf7ac2e79c8f4c8a95b79';
$app = new LibreAuth('AppName', 'OWNERID10', '1.0', 'https://libreauth.nutexe.dev/api/1.3/');
$app->init();Encrypted responses
When enckey is sent on init, the signed message is the encrypted wire body, not plain JSON. Verify signature on wire bytes, then decrypt.
WARN
Missing PHP sodium extension → no signature headers → C++ fails immediately.