@Gargron Hey Eugen, am trying to understand HTTP Signatures better for my own AP server implementation.

I have two questions:

1.) How is the private key used to verify incoming request signatures stored on the Actor's server receiving the signed request? Is it a just a file at a well known location on the server/is there some additional layer?

2.) I I assume the private key is never shared with 3rd party clients acting for an actor, only the backend does the verification?

Thanks a lot!