# Module BSV::Auth::AuthHeaders <a id="module-BSV-Auth-AuthHeaders"></a>

BRC-104 HTTP header name constants and filtering helpers.

Provides the canonical header names used in BSV auth HTTP transport, matching
the Go SDK's brc104/auth_http_headers.go exactly.

Header filtering:
*   Requests: content-type (normalised), authorization, x-bsv-* (excl.
    x-bsv-auth-*)
*   Responses: authorization, x-bsv-* (excl. x-bsv-auth-*) — content-type is
    NOT signed

Both {.filter_request_headers} and {.filter_response_headers} return sorted
key, value
:   pairs ready for payload serialisation.

## Constants
### `AUTH_PREFIX` <a id="constant-AUTH_PREFIX"></a> <a id="AUTH_PREFIX-constant"></a>
Common prefix for all BSV auth headers.

### `BSV_PREFIX` <a id="constant-BSV_PREFIX"></a> <a id="BSV_PREFIX-constant"></a>
Prefix for all BSV custom headers (non-auth).

### `IDENTITY_KEY` <a id="constant-IDENTITY_KEY"></a> <a id="IDENTITY_KEY-constant"></a>
Sender's identity public key (compressed hex).

### `MESSAGE_TYPE` <a id="constant-MESSAGE_TYPE"></a> <a id="MESSAGE_TYPE-constant"></a>
Message type string (e.g. 'general', 'initialRequest').

### `NONCE` <a id="constant-NONCE"></a> <a id="NONCE-constant"></a>
Sender's nonce.

### `PAYMENT` <a id="constant-PAYMENT"></a> <a id="PAYMENT-constant"></a>
Raw payment transaction (hex or base64).

### `PAYMENT_DERIVATION_PREFIX` <a id="constant-PAYMENT_DERIVATION_PREFIX"></a> <a id="PAYMENT_DERIVATION_PREFIX-constant"></a>
BIP-32 derivation prefix for payment key.

### `PAYMENT_PREFIX` <a id="constant-PAYMENT_PREFIX"></a> <a id="PAYMENT_PREFIX-constant"></a>
Prefix for BSV payment headers (excluded from signed payload).

### `PAYMENT_SATOSHIS_REQUIRED` <a id="constant-PAYMENT_SATOSHIS_REQUIRED"></a> <a id="PAYMENT_SATOSHIS_REQUIRED-constant"></a>
Number of satoshis required for payment.

### `PAYMENT_VERSION` <a id="constant-PAYMENT_VERSION"></a> <a id="PAYMENT_VERSION-constant"></a>
Payment protocol version.

### `REQUESTED_CERTIFICATES` <a id="constant-REQUESTED_CERTIFICATES"></a> <a id="REQUESTED_CERTIFICATES-constant"></a>
Requested certificate set (JSON-encoded).

### `REQUEST_ID` <a id="constant-REQUEST_ID"></a> <a id="REQUEST_ID-constant"></a>
Request ID for correlation (base64-encoded 32 bytes).

### `SIGNATURE` <a id="constant-SIGNATURE"></a> <a id="SIGNATURE-constant"></a>
ECDSA/Schnorr signature (hex-encoded).

### `VERSION` <a id="constant-VERSION"></a> <a id="VERSION-constant"></a>
Protocol version header.

### `YOUR_NONCE` <a id="constant-YOUR_NONCE"></a> <a id="YOUR_NONCE-constant"></a>
Recipient's nonce (echoed back for mutual verification).

## Public Class Methods
### `extract_auth_headers(headers)` <a id="method-c-extract_auth_headers"></a> <a id="extract_auth_headers-class_method"></a>
Extracts <code>x-bsv-auth-*</code> headers from a hash and returns a
structured hash with symbolised keys derived from the header name suffix.

For example, <code>x-bsv-auth-identity-key</code> becomes
<code>:identity_key</code>.
- **@param** `headers` [Hash] incoming headers hash (keys may be mixed case)
- **@return** [Hash] symbolised auth header values; only present keys are included

### `filter_request_headers(headers)` <a id="method-c-filter_request_headers"></a> <a id="filter_request_headers-class_method"></a>
Filters request headers to the set that is signed in the payload.

Includes (matching TS/Go SDK behaviour):
*   <code>content-type</code> — normalised by stripping "; charset=..." params
*   `authorization`
*   <code>x-bsv-*</code> headers, excluding any that start with
    <code>x-bsv-auth</code>

Raises `ArgumentError` if any header does not fall into the above categories
(matching TS SDK strictness — an unsupported header that the caller expects to
be signed is a security concern).
- **@param** `headers` [Hash] header key/value pairs (keys need not be lowercased)
- **@raise** [ArgumentError] if an unsupported header is present
- **@return** [Array<Array(String, String)>] sorted [key, value] pairs, keys lowercased

### `filter_response_headers(headers)` <a id="method-c-filter_response_headers"></a> <a id="filter_response_headers-class_method"></a>
Filters response headers to the set that is signed in the payload.

Includes (matching TS/Go SDK behaviour):
*   `authorization`
*   <code>x-bsv-*</code> headers, excluding any that start with
    <code>x-bsv-auth</code>

Note: <code>content-type</code> is intentionally excluded from response
signing (matches both Go and TS SDK behaviour).
- **@param** `headers` [Hash] header key/value pairs
- **@return** [Array<Array(String, String)>] sorted [key, value] pairs, keys lowercased
