Signing and Verifying

Signing and Verification actions can be performed with all the asymmetric key types available in the Vault.

Sign a Message

Sign a message (a claim, or hash or specific text) with a given Key.

Sign a Message

POST https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/sign

Path Parameters

Name Type Description

Name	Type	Description
id*	uuid	id of the `Vault` hosting the `Key` to be used for signing
key_id*	uuid	id of the `Key` to be used for signing

id*

uuid

id of the

Vault

hosting the

Key

to be used for signing

key_id*

uuid

id of the

Key

to be used for signing

Headers

Name	Type	Description
authorization*	string	bearer

Name

Type

Description

authorization*

string

bearer

Request Body

Name Type Description

Name	Type	Description
message*	string	string to sign, typically the hash; note that only 32-byte messages will be signed by `secp256k1` or `BIP39` keys

message*

string

string to sign, typically the hash; note that only 32-byte messages will be signed by

secp256k1

BIP39

keys

{
  "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741"
}

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7fSwiZXhwIjpudWxsLCJpYXQiOjE1NTk4Nzg1NzQsImp0aSI6IjYzYTJkY2QzLWI5OTgtNDZjNC1hNzFkLTQ5MjU4YTBhYmEyMyIsInN1YiI6ImFwcGxpY2F0aW9uOmNiMjAzN2Y3LTc5ZmMtNDBmNC05NzIwLWFkYTYzNmRhNDE4MyJ9.0LsVj7oTF0KjwbcUhg9a-fQRWB7cGzKJxLIANeX2cWE' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/a7dd081d-8ad8-499e-a472-587f044c0039/keys/752176e2-f31f-4887-8267-12ba5769ddcb/sign \
    -d '{
      "message": "hello world"
    }'
HTTP/2 201

Response JSON:

{
  "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741"
}

The signature returned in the response is hex-encoded.

Signing Parameters

Parameter Supported Values

Parameter	Supported Values
message	string to sign, typically the hash; note that only 32-byte messages will be signed by `secp256k1`or BIP39 keys

message

string to sign, typically the hash; note that only 32-byte messages will be signed by secp256k1or BIP39 keys

Signing Options (RSA)

When signing with RSA, the RSA signing/verification algorithm must also be provided (otherwise it will return with a "nil signing options" 500 error).

An example of signing with an RSA key is shown below.

curl -i -XPOST  \
-H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJMtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p--L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \  
-H 'Content-Type: application/json' \
https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/sign
  -d '{ 
    "message": "hello world", 
    "options": {
      "algorithm": "PS256"
    } 
  }'
HTTP/2 201

RSA Signing Options

Parameter Supported Values

Parameter	Supported Values
algorithm	`RS256` `RS384` `RS512` (for `RSA PKCS#1 v1.5`) `PS256` `PS384` `PS512` (for `RSASSA-PSS`)

algorithm

RS256 RS384 RS512 (for RSA PKCS#1 v1.5)

PS256 PS384 PS512 (for RSASSA-PSS)

Signing with BIP39 Key

Signing with a BIP39 key, which actually functions as a HD wallet, automatically generates a new secp256k1 key derived from the BIP39 master key to sign each request, unless the request contains HD wallet signing options specifying the derivation path to be used for signing.

An example is shown below:

curl -i -XPOST  \
-H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJMtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p--L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \  
-H 'Content-Type: application/json' \
https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/sign
  -d '{ 
    "message": "12345678901234567890123456789012"
  }'
HTTP/2 201

Note that with each subsequent signing operation, the HD derivation path is automatically incremented (i.e., the next signing operation would increment the hd_derivation_path to m/44/60'/0'/0/1). To override this behavior and to force signing to occur with a specific key, the request should have the additional hdwallet option as illustrated below:

curl -i -XPOST \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/sign \
    -d '{
      "message": "12345678901234567890123456789012",
      "options": {
        "hdwallet": {
          "coin": 60,
          "index": 0
        }
      }
    }'
HTTP/2 201

BIP39 Signing Options

Parameter Description Default

Parameter	Description	Default
purpose	the purpose of the HD wallet	`44'`
coin	coin type integer as registered here	`60'`
coin_abbr	human-readable `coin` abbreviation (deprecated; use `coin` or `hd_derivation_path`)	`ETH`
account	account path within the HD wallet	`0`
change	the change path within the hardened account	`0`
index	`0` - `4294967295` permitted	`0`
hd_derivation_path	the full HD derivation path; overrides other options when provided	-

purpose

the purpose of the HD wallet

44'

coin

coin type integer as registered here

60'

coin_abbr

human-readable coin abbreviation (deprecated; use coin or hd_derivation_path)

ETH

account

account path within the HD wallet

0

change

the change path within the hardened account

0

index

0 - 4294967295 permitted

0

hd_derivation_path

the full HD derivation path; overrides other options when provided

Note that specifying hdwallet options does not override the automatically-sequenced, iterative HD derivation path which is the default behavior of secp256k1 keys in the context of a BIP39 HD wallet. When hdwallet options are provided as part of a signing API request, they specify which key (i.e., at a given HD derivation path) should be used for the signing operation.

Signing with a BIP39 key results in an extended API response which includes the hd_derivation_path and the public network address representation of the derived key which signed the transaction:

{
  "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
  "address": "0x707193161a7F1e6a8DD33b56E89A6deBCb235e86",
  "hd_derivation_path": "m/44'/60'/0'/0/0"
}

Signing Ethereum Transactions

Note: When using a secp256k1 key (or a secp256k1 key derived by a BIP39 HD wallet), only 32-byte messages will be signed when the coin type is 60' (i.e., ETH); the expected length of a keccak hash is 32-bytes. Transaction signing for other coin types is not yet supported.

Verify a Signature

Verify that a message was signed with a given Key.

Verify a Message Signature

GET https://vault.provide.services/api/v1/vaults/:id/keys/:key_id/verify

Path Parameters

Name Type Description

Name	Type	Description
id*	uuid	id of the `Vault` hosting the `Key` to be used for verification
key_id*	uuid	id of the `Key` to be used for verification

id*

uuid

id of the

Vault

hosting the

Key

to be used for verification

key_id*

uuid

id of the

Key

to be used for verification

Headers

Name	Type	Description
authorization*	string	bearer

Name

Type

Description

authorization*

string

bearer

Request Body

Name	Type	Description
message*	string	the original message which was signed; typically a hash
signature	string	the signature to verify

Name

Type

Description

message*

string

the original message which was signed; typically a hash

signature

string

the signature to verify

{
  "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741"
}

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7fSwiZXhwIjpudWxsLCJpYXQiOjE1NTk4Nzg1NzQsImp0aSI6IjYzYTJkY2QzLWI5OTgtNDZjNC1hNzFkLTQ5MjU4YTBhYmEyMyIsInN1YiI6ImFwcGxpY2F0aW9uOmNiMjAzN2Y3LTc5ZmMtNDBmNC05NzIwLWFkYTYzNmRhNDE4MyJ9.0LsVj7oTF0KjwbcUhg9a-fQRWB7cGzKJxLIANeX2cWE' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/a7dd081d-8ad8-499e-a472-587f044c0039/keys/752176e2-f31f-4887-8267-12ba5769ddcb/verify \
    -d '{
      "message": "hello world",
      "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741", 
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Response JSON:

{
  "verified": true
}

Request Parameters

Parameter	Description
message	the original message which was signed; typically a hash
signature	the signature to verify

Parameter

Description

message

the original message which was signed; typically a hash

signature

the signature to verify

Verification Options (RSA)

When verifying an RSA signature, the same RSA signing/verification algorithm used to sign the message must also be provided (otherwise it will return a "verified": "false" response, regardless of the validity of the signature).

An example of verifying with an RSA key, specifying the RSA signing algorithm used to sign the message, is shown below.

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJ_MtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p-_-L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/verify \
    -d '{
      "message": "hello world",
      "signature": "5843e068858b6b90b3e64a8b162cf757f80881101cdf021a56bbe059b12ae9ae5fe87d6919725a10dfb0056d5689394269a16518d9987302e2353cde308d1e7c2a8eedad94ed2a88184b283df90dc7a89d42136b60082d8e6452afae443bf026a930c7eccef945934e4e870212d1c2ec16986c9b4ba249698bde419a4bbdc16b1fd16a820fd0094580a3a13d29e62a70cb020a15e9e57fef6b3576b00a563197985ca0d520a595d4183956faf2ef94983db46a16ddf206fa4726a71ffc4fed4d475916bd172b4a64dbf9b7b70165200588dac341f4ed500bb049b50c1847b156f07f59c7a7f849fb8d96e5b37074e643d734c865c69e1affd3c7ba71d81d6ac7", 
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Verification Options (BIP39)

To verify a signature created by a key derived from a BIP39 HD wallet, you must provide the HD derivation path index value or the full hd_derivation_path corresponding to such derived key.

The following example shows how to validate a signature created by the key derived at index 0 of a BIP39 HD wallet:

curl -i -XPOST \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/verify \
    -d '{
      "message": "12345678901234567890123456789012",
      "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
      "options": {
        "hdwallet": {
          "coin": 60,
          "index": 0
        }
      }
    }'
HTTP/2 200

The same signature verification as illustrated above can also be accomplished using the hd_derivation_path of the derived key:

    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/verify \
    -d '{
      "message": "12345678901234567890123456789012",
      "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
      "options": {
        "hdwallet": {
          "hd_derivation_path": "m/44'/60'/0'/0/0"
        }
      }
    }'
HTTP/2 200

Detached Verification

In certain cases, you may need to verify the signature of a message which was signed by a third party. A Vault instance can perform such verification given the message, signature and public key. This is referred to as "detached verification" since the private key which signed the message does not exist in the Vault. Ephemeral keys are created in-memory to perform this verification by invoking the following API:

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJ_MtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p-_-L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/verify \
    -d '{
      "message": "hello world",
      "signature": "5843e068858b6b90b3e64a8b162cf757f80881101cdf021a56bbe059b12ae9ae5fe87d6919725a10dfb0056d5689394269a16518d9987302e2353cde308d1e7c2a8eedad94ed2a88184b283df90dc7a89d42136b60082d8e6452afae443bf026a930c7eccef945934e4e870212d1c2ec16986c9b4ba249698bde419a4bbdc16b1fd16a820fd0094580a3a13d29e62a70cb020a15e9e57fef6b3576b00a563197985ca0d520a595d4183956faf2ef94983db46a16ddf206fa4726a71ffc4fed4d475916bd172b4a64dbf9b7b70165200588dac341f4ed500bb049b50c1847b156f07f59c7a7f849fb8d96e5b37074e643d734c865c69e1affd3c7ba71d81d6ac7",
      "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJwSYrTfqWzADY54qHne\n/WgAUo/1Tq5TkmNczWMx+6FiDRI2EpNdKi1711XvpvTe35JEXa5oYKmRQnMxhB29\nWvH5V8QnKXwIpSvtNqrueRHmRTLVrqcAiqxaNMJ/OQLLFqvqY8+pvUVDIf2Q+DWY\nIJHT105I7kyWCSjwi0NxG0Uf1KVswCY6ERRD7fPUkYUVHdc6eUG9/Va2aIXNmlu/\nr2yNTZxNAUT/zE+q/dnaVKAKMB2Orpj27XCP9i1rQsSaSdBqPxe9GTErZBLLMV5W\ndyELcT4NfhPXzJvN+czObtX0V8Kksszhb0etLMLKzUzAnQEFtY/SVQlKgExqWBKu\nGQIDAQAB\n-----END PUBLIC KEY-----\n",
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Detached verification requires a public_key to be supplied in the request.

PreviousEncryption and Decryption NextSecrets

Last updated 2 years ago