bad_sig_len

Summary

ed25519 signature payload must be 64 bytes (got {0})

Help

the signature header is corrupt or truncated

Details

When this fires

The x-nanook-signature header base64-decoded fine, but the raw signature was not 64 bytes. Ed25519 signatures are always 64 bytes, so a different length means the header was truncated in transit or the client encoded the wrong bytes. The error reports what the verifier actually saw.

What to check

• Look for a proxy, load balancer, or HTTP client trimming long headers.
• For custom clients, sign the canonical bytes laid out in crates/nanook-auth/src/signing.rs and base64-encode the full 64-byte output unmodified.
• nanook ctl working confirms the agent is healthy and the bug is in the other client.