OAuth HTTP Message Signatures is an RFC 9421 standard that defines a method for creating, encoding, and verifying signatures within HTTP requests. The specification can be applied to various applications both within and outside of OAuth implementations. In OAuth contexts, HTTP Message Signatures functions as a proof of possession mechanism that adds protection to Bearer tokens. This approach provides an alternative to other proof of possession methods such as Mutual TLS (RFC 8705) and DPoP (RFC 9449). The standard is referenced by the Financial-grade API (FAPI) as one approved method for signing HTTP messages. The specification evolved from an earlier individual draft titled "Signing HTTP Messages" by Cavage, which was never adopted by a working group and expired in 2018. Development briefly moved through the Digital Verification Community Group and Credentials Community Group at W3C before being redirected to the IETF HTTPBIS working group, where it continued development until publication as an RFC. The standard provides a standardized approach to message signing that can be implemented across different HTTP-based authentication and authorization scenarios.