@Gargron Makes sense, Say a 3rd party client acting on behalf of an Actor wants to POST to someone's inbox & this message needs to be signed with the sending Actor's private key. The private key is never transmitted to the 3rd party client, right? It just sends a request to the backend Mastodon API server and the server, who has access to the private key, generates the Signaure header using the private key, which is verified by the target server using the sending Actor's publicKey?