We need to standardize naming of userUUID/uuid/Uuid and publicKey/public_key as requests can be passed around from clients and servers (this is a little out of the scope of Sessionless, but I'm happy to talk about it more).
Need to make it clear that signature passing is implementation dependent. If you're only using https, and you don't expect any outside messages then you can use headers, but if not you'll probably want to put the signature on the body of the request.
Maybe we can extend our servers to include web sockets in the example and do headers on http requests and body signatures on web socket ones.
Would be good to mention ordinals and timestamps to prevent replays