diff --git a/activitypub.py b/activitypub.py
index 53584d0..5c4f7e4 100644
--- a/activitypub.py
+++ b/activitypub.py
@@ -431,8 +431,10 @@ def signed_request(fn, url, data=None, log_data=True, headers=None, **kwargs):
     # (request-target) is a special HTTP Signatures header that some fediverse
     # implementations require, eg Peertube.
     # https://datatracker.ietf.org/doc/html/draft-cavage-http-signatures-12#section-2.3
-    # https://github.com/snarfed/bridgy-fed/issues/40
-    auth = HTTPSignatureAuth(secret=user.private_pem(), key_id=user.ap_actor(),
+    # https://www.w3.org/wiki/SocialCG/ActivityPub/Authentication_Authorization#Signing_requests_using_HTTP_Signatures
+    # https://docs.joinmastodon.org/spec/security/#http
+    key_id = f'{user.ap_actor()}#key'
+    auth = HTTPSignatureAuth(secret=user.private_pem(), key_id=key_id,
                              algorithm='rsa-sha256', sign_header='signature',
                              headers=HTTP_SIG_HEADERS)
 
@@ -484,7 +486,7 @@ def postprocess_as2(activity, orig_obj=None, wrap=True):
             actor_url = host_url(activity.get('preferredUsername'))
             activity.update({
                 'publicKey': {
-                    'id': actor_url,
+                    'id': f'{actor_url}#key',
                     'owner': actor_url,
                     'publicKeyPem': g.user.public_pem().decode(),
                 },
diff --git a/tests/test_activitypub.py b/tests/test_activitypub.py
index b53b690..704b02f 100644
--- a/tests/test_activitypub.py
+++ b/tests/test_activitypub.py
@@ -58,7 +58,7 @@ ACTOR_BASE = {
         'sharedInbox': 'http://localhost/ap/sharedInbox',
     },
     'publicKey': {
-        'id': 'http://localhost/user.com',
+        'id': 'http://localhost/user.com#key',
         'owner': 'http://localhost/user.com',
         'publicKeyPem': 'populated in setUp()',
     },
@@ -337,7 +337,7 @@ class ActivityPubTest(TestCase):
             'followers': 'http://bf/fake/user.com/ap/followers',
             'endpoints': {'sharedInbox': 'http://localhost/ap/sharedInbox'},
             'publicKey': {
-                'id': 'http://localhost/user.com',
+                'id': 'http://localhost/user.com#key',
                 'owner': 'http://localhost/user.com',
                 'publicKeyPem': self.user.public_pem().decode(),
             },
diff --git a/tests/test_follow.py b/tests/test_follow.py
index f108230..7e0fb7a 100644
--- a/tests/test_follow.py
+++ b/tests/test_follow.py
@@ -266,8 +266,9 @@ class FollowTest(TestCase):
 
         # check that we signed with the follower's key
         sig_template = inbox_kwargs['auth'].header_signer.signature_template
-        self.assertTrue(sig_template.startswith('keyId="http://localhost/alice.com"'),
-                        sig_template)
+        self.assertTrue(
+            sig_template.startswith('keyId="http://localhost/alice.com#key"'),
+            sig_template)
 
         follow_id = f'http://localhost/web/alice.com/following#2022-01-02T03:04:05-{input}'
 
@@ -481,8 +482,9 @@ class UnfollowTest(TestCase):
 
         # check that we signed with the follower's key
         sig_template = inbox_kwargs['auth'].header_signer.signature_template
-        self.assertTrue(sig_template.startswith('keyId="http://localhost/alice.com"'),
-                        sig_template)
+        self.assertTrue(
+            sig_template.startswith('keyId="http://localhost/alice.com#key"'),
+            sig_template)
 
         follower = Follower.query().get()
         self.assertEqual('inactive', follower.status)