DEV Community: Maximiliano Santana The latest articles on DEV Community by Maximiliano Santana (@maxis). https://dev.to/maxis https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3783930%2F18b8ab98-ac89-4a5a-9fa8-f4375c7e829c.png DEV Community: Maximiliano Santana https://dev.to/maxis en The Undocumented Secret to Hedera Message Signature Verification Maximiliano Santana Sat, 21 Feb 2026 13:23:18 +0000 https://dev.to/maxis/-the-undocumented-secret-to-hedera-message-signature-verification-e5l https://dev.to/maxis/-the-undocumented-secret-to-hedera-message-signature-verification-e5l <p>I almost gave up on my project.</p> <p>I was building a P2P NFT swap on Hedera. Everything worked. But message signature verification kept failing.</p> <h2> The Problem </h2> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="c1">// Frontend</span> <span class="kd">const</span> <span class="nx">signature</span> <span class="o">=</span> <span class="k">await</span> <span class="nx">wallet</span><span class="p">.</span><span class="nf">signMessage</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sign in to MichiMint</span><span class="dl">"</span><span class="p">);</span> <span class="c1">// Backend</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nx">pubKey</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span> <span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sign in to MichiMint</span><span class="dl">"</span><span class="p">),</span> <span class="nx">signature</span> <span class="p">);</span> <span class="c1">// false ❌</span> </code></pre> </div> <p>Same message. Fresh signature. Correct public key. <strong>Why?</strong></p> <h2> The Solution </h2> <p>Hedera wallets add a hidden prefix:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight typescript"><code><span class="kd">function</span> <span class="nf">prefixMessage</span><span class="p">(</span><span class="nx">message</span><span class="p">:</span> <span class="kr">string</span><span class="p">):</span> <span class="kr">string</span> <span class="p">{</span> <span class="k">return</span> <span class="dl">'</span><span class="se">\</span><span class="s1">x19Hedera Signed Message:</span><span class="se">\n</span><span class="dl">'</span> <span class="o">+</span> <span class="nx">message</span><span class="p">.</span><span class="nx">length</span> <span class="o">+</span> <span class="nx">message</span><span class="p">;</span> <span class="p">}</span> <span class="c1">// Backend verification</span> <span class="kd">const</span> <span class="nx">prefixedMessage</span> <span class="o">=</span> <span class="nf">prefixMessage</span><span class="p">(</span><span class="dl">"</span><span class="s2">Sign in to MichiMint</span><span class="dl">"</span><span class="p">);</span> <span class="kd">const</span> <span class="nx">isValid</span> <span class="o">=</span> <span class="nx">pubKey</span><span class="p">.</span><span class="nf">verify</span><span class="p">(</span><span class="nx">Buffer</span><span class="p">.</span><span class="k">from</span><span class="p">(</span><span class="nx">prefixedMessage</span><span class="p">),</span> <span class="nx">signature</span><span class="p">);</span> <span class="c1">// true ✅</span> </code></pre> </div> <p>Breaking it down:</p> <ul> <li> <code>\x19</code> - Magic byte (prevents TX collision)</li> <li> <code>Hedera Signed Message:\n</code> - Context identifier </li> <li> <code>22</code> - Message length</li> <li> <code>Sign in to MichiMint</code> - Your message</li> </ul> <h2> Why This Isn't Documented </h2> <p>Hedera adopted Ethereum's EIP-191 standard. They assumed devs would know.</p> <p>I couldn't find this in official docs, HashPack docs, or Stack Overflow. Only one Reddit comment.</p> <h2> Why It Matters </h2> <p>Without the prefix, signatures could be replayed in different contexts. The prefix makes them context-specific and secure.</p> <p><strong>This powers MichiMint</strong> - first trustless P2P NFT swap on Hedera using Scheduled Transactions.</p> <p><a href="https://michimint.xyz" rel="noopener noreferrer">michimint.xyz</a></p> <p>If this saved you debugging time, share it. The next dev shouldn't have to hunt through Reddit.</p> blockchain tutorial typescript web3