Ever wondered how you can prove to another service that you're who you say you are? That you are the logged-in atmosphere account? Remember way back on day 1 when we had you grab the multikey from your DID document under verificationMethod? That's actually the public key to the private key on the PDS that is used to sign the commits to your repo. It can also be used to create a JWT to prove it's you by the signature using the com.atproto.server.getServiceAuth endpoint.

When calling this endpoint there are 2 required parameters:

• aud: This is the did:web of the service you expect to use this token. An example is when migrating to create a new account on the PDS with your did it would be the PDS's did like did:web:blacksky.app.
• lxm: The XRPC endpoint you are calling, like com.atproto.server.createAccount in the case of a migration.

The JWT created looks a bit like this decoded.

header:

{
  "typ": "JWT",
  "alg": "ES256K"
}

Payload:

{
  "iat": 1774113399,
  "iss": "did:plc:rnpkyqnmsw4ipey6eotbdnnf",
  "aud": "did:web:blacksky.app",
  "exp": 1774113459,
  "lxm": "com.atproto.server.createAccount",
  "jti": "793cd20048417bcd8d229f343a95363f"
}

On the backend usually you decode the JWT, accessed the iss claim, resolve the did document, and from there can then verify the signature.

In the AT Protocol, services authenticate requests between each other using serviceAuth — a signed JWT token. When your PDS proxies a request to another service on your behalf, it creates a JWT signed with your account's signing key.

For this challenge request a serviceAuth token for your account for the lxm endpoint with the `aud` of.