Authentication is not specified by the ActivityPub standard. In practice, the fediverse mostly uses HTTP Message Signatures to authenticate server-to-server requests, using a relatively consistent profile. This document describes that profile and usage, recommends best practices, and evaluates their success so far.