Authentication
Bombora authenticates requests with the Flashbots-style X-Flashbots-Signature header, which identifies the Ethereum address that signed the request body.
Most methods accept the header but do not require it, and it does not affect priority. eth_sendEndOfBlockBundle is the exception: it requires a valid signature, and requests without one are rejected.
Header format
X-Flashbots-Signature: <address>:<signature>address: the public address of the signing key.signature: the EIP-191 (personal_sign) ECDSA secp256k1 signature over the hex-encoded keccak256 hash of the request body (UTF-8 bytes).
The signing key can be any Ethereum key; it is independent of the transactions in the bundle. The signature covers the exact body, so it must be recomputed whenever the body changes.
Compatibility
This is the same scheme originally defined by Flashbots, so existing signing code works against Bombora unchanged.