keyid resolves to a key

What this check verifies

The keyid parameter names which key signed the request. In Web Bot Auth it is a base64url-encoded RFC 7638 SHA-256 JWK thumbprint: a fingerprint computed from the key’s own members, not a free-form label.

;keyid="poqkLGiymh_W0uP6PZFw-dvez3QJT5SolqXBCW38r0";...

This check fetches the directory, computes the RFC 7638 thumbprint of each key it holds, and looks for one that equals the signature’s keyid. A match means the verifier has the public key it needs and can move on to checking the signature. No match fails the check, and the signature cannot be verified because there is no key to verify it against.

The match is against the computed thumbprint, not the JWK kid member. kid is a free-form label per RFC 7517 and can be anything the operator chooses; it is not required to equal the thumbprint. Cloudflare sets kid to the thumbprint by convention, but a directory with custom kid labels is still legal, because resolution is by computed thumbprint.

Why it matters

keyid is the link between the request and the directory. The verifier uses it to pick the one public key, out of however many the directory publishes, that should verify this signature. If keyid does not match any key’s thumbprint, the verifier has nothing to check against and cannot confirm who sent the request.

A failure here usually means one of a few things: the directory does not include the key that signed the request, the key was rotated out before the request was checked, or the keyid was computed differently from the directory key (for example over a key with extra members, which changes the thumbprint).

How to fix it

1. Publish the signing key in the directory. The key whose thumbprint equals keyid must be present in the keys array.
2. Compute keyid as the RFC 7638 thumbprint of the exact public key you publish. The thumbprint is taken over the required members only (crv, kty, x for an Ed25519 key), in lexicographic order, with no whitespace.
3. Keep rotation in step. When you rotate keys, publish the new public key before you start signing with it, and keep the old one available until in-flight signatures expire.

If keyid and the directory key were generated by the same library from the same key, they will match. A mismatch points at two different keys, or a thumbprint computed over a different member set.

References

• RFC 7638 defines the JWK thumbprint used as keyid.
• RFC 7517 defines the JWK kid member as a free-form label, separate from the thumbprint.
• The web-bot-auth directory draft specifies matching the signature’s keyid against directory keys by thumbprint.
• How grading works explains why an unresolved keyid stops verification.