diff --git a/lib/http.js b/lib/http.js
index 998e099..60475a5 100644
--- a/lib/http.js
+++ b/lib/http.js
@@ -116,12 +116,18 @@ export async function addRoutes({app} = {}) {
         const {ecdsa, mldsa} = bedrock.config.hmbd.secrets;
         const verificationMethod = isMLDSA ? mldsa.id : ecdsa.id;
         const cryptosuite = CRYPTOSUITE_FACTORIES.get(cryptosuiteName)();
+
+        const nonce = Array.from(crypto.getRandomValues(new Uint8Array(32)))
+          .map(b => b.toString(32).padStart(2, '0'))
+          .join('');
+
         const proof = {
           type: 'DataIntegrityProof',
           cryptosuite: cryptosuite.name,
           proofPurpose: 'assertionMethod',
           verificationMethod,
-          created: new Date().toISOString().replace(/\.\d+Z$/, 'Z')
+          created: new Date().toISOString().replace(/\.\d+Z$/, 'Z'),
+          nonce
         };
 
         // canonicalize and SHA-256 hash the proof options (no proofValue);