oauth/io.github.kikin81.atproto.oauth/DpopSigner/sign

sign

fun sign(method: String, url: String, accessTokenHash: String? = null, nonce: String? = null): String

Signs a DPoP proof JWT for the given HTTP method + URL.

Return

The signed JWT string (header.payload.signature).

Parameters

method

HTTP method (GET, POST, etc.)

url

Full target URL (scheme + host + path, no query string)

accessTokenHash

Base64url(SHA-256(access_token)) for PDS resource requests. null for PAR and token endpoint requests (where no access token exists yet).

nonce

Server-issued DPoP nonce. null on the first request to a server (before the nonce-discovery cycle).