Signing and Verification

Signing and Verification actions can be performed with all the asymmetric key types available in the Vault.

Sign a Message

Sign a message (a claim, or hash or specific text) with a given Key.

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7fSwiZXhwIjpudWxsLCJpYXQiOjE1NTk4Nzg1NzQsImp0aSI6IjYzYTJkY2QzLWI5OTgtNDZjNC1hNzFkLTQ5MjU4YTBhYmEyMyIsInN1YiI6ImFwcGxpY2F0aW9uOmNiMjAzN2Y3LTc5ZmMtNDBmNC05NzIwLWFkYTYzNmRhNDE4MyJ9.0LsVj7oTF0KjwbcUhg9a-fQRWB7cGzKJxLIANeX2cWE' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/a7dd081d-8ad8-499e-a472-587f044c0039/keys/752176e2-f31f-4887-8267-12ba5769ddcb/sign \
    -d '{
      "message": "hello world"
    }'
HTTP/2 201

Response JSON:

{
  "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741"
}

The signature returned in the response is hex-encoded.

Signing Parameters

Signing Options (RSA)

When signing with RSA, the RSA signing/verification algorithm must also be provided (otherwise it will return with a "nil signing options" 500 error).

An example of signing with an RSA key is shown below.

curl -i -XPOST  \
-H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJMtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p--L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \  
-H 'Content-Type: application/json' \
https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/sign
  -d '{ 
    "message": "hello world", 
    "options": {
      "algorithm": "PS256"
    } 
  }'
HTTP/2 201

RSA Signing Options

Signing with BIP39 Key

Signing with a BIP39 key, which actually functions as a HD wallet, automatically generates a new secp256k1 key derived from the BIP39 master key to sign each request, unless the request contains HD wallet signing options specifying the derivation path to be used for signing.

An example is shown below:

curl -i -XPOST  \
-H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJMtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p--L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \  
-H 'Content-Type: application/json' \
https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/sign
  -d '{ 
    "message": "12345678901234567890123456789012"
  }'
HTTP/2 201

Note that with each subsequent signing operation, the HD derivation path is automatically incremented (i.e., the next signing operation would increment the hd_derivation_path to m/44/60'/0'/0/1). To override this behavior and to force signing to occur with a specific key, the request should have the additional hdwallet option as illustrated below:

curl -i -XPOST \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/sign \
    -d '{
      "message": "12345678901234567890123456789012",
      "options": {
        "hdwallet": {
          "coin": 60,
          "index": 0
        }
      }
    }'
HTTP/2 201

BIP39 Signing Options

Note that specifying hdwallet options does not override the automatically-sequenced, iterative HD derivation path which is the default behavior of secp256k1 keys in the context of a BIP39 HD wallet. When hdwallet options are provided as part of a signing API request, they specify which key (i.e., at a given HD derivation path) should be used for the signing operation.

Signing with a BIP39 key results in an extended API response which includes the hd_derivation_path and the public network address representation of the derived key which signed the transaction:

{
  "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
  "address": "0x707193161a7F1e6a8DD33b56E89A6deBCb235e86",
  "hd_derivation_path": "m/44'/60'/0'/0/0"
}

Signing Ethereum Transactions

Note: When using a secp256k1 key (or a secp256k1 key derived by a BIP39 HD wallet), only 32-byte messages will be signed when the coin type is 60' (i.e., ETH); the expected length of a keccak hash is 32-bytes. Transaction signing for other coin types is not yet supported.

Verify a Signature

Verify that a message was signed with a given Key.

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjp7fSwiZXhwIjpudWxsLCJpYXQiOjE1NTk4Nzg1NzQsImp0aSI6IjYzYTJkY2QzLWI5OTgtNDZjNC1hNzFkLTQ5MjU4YTBhYmEyMyIsInN1YiI6ImFwcGxpY2F0aW9uOmNiMjAzN2Y3LTc5ZmMtNDBmNC05NzIwLWFkYTYzNmRhNDE4MyJ9.0LsVj7oTF0KjwbcUhg9a-fQRWB7cGzKJxLIANeX2cWE' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/a7dd081d-8ad8-499e-a472-587f044c0039/keys/752176e2-f31f-4887-8267-12ba5769ddcb/verify \
    -d '{
      "message": "hello world",
      "signature": "02a285b1a277f7602dc115a3bf627a8b7603a4a1be9a72b3ab0284878afe443d0023c6b618333ead186cfbf16180f2058727c5ee0e437a0fcff1d3966351d741", 
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Response JSON:

{
  "verified": true
}

Request Parameters

Verification Options (RSA)

When verifying an RSA signature, the same RSA signing/verification algorithm used to sign the message must also be provided (otherwise it will return a "verified": "false" response, regardless of the validity of the signature).

An example of verifying with an RSA key, specifying the RSA signing algorithm used to sign the message, is shown below.

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJ_MtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p-_-L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/730afe0f-a62d-48e0-9d67-1e07c118fbf8/keys/633e229f-e382-4441-a500-b08f028184df/verify \
    -d '{
      "message": "hello world",
      "signature": "5843e068858b6b90b3e64a8b162cf757f80881101cdf021a56bbe059b12ae9ae5fe87d6919725a10dfb0056d5689394269a16518d9987302e2353cde308d1e7c2a8eedad94ed2a88184b283df90dc7a89d42136b60082d8e6452afae443bf026a930c7eccef945934e4e870212d1c2ec16986c9b4ba249698bde419a4bbdc16b1fd16a820fd0094580a3a13d29e62a70cb020a15e9e57fef6b3576b00a563197985ca0d520a595d4183956faf2ef94983db46a16ddf206fa4726a71ffc4fed4d475916bd172b4a64dbf9b7b70165200588dac341f4ed500bb049b50c1847b156f07f59c7a7f849fb8d96e5b37074e643d734c865c69e1affd3c7ba71d81d6ac7", 
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Verification Options (BIP39)

To verify a signature created by a key derived from a BIP39 HD wallet, you must provide the HD derivation path index value or the full hd_derivation_path corresponding to such derived key.

The following example shows how to validate a signature created by the key derived at index 0 of a BIP39 HD wallet:

curl -i -XPOST \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/verify \
    -d '{
      "message": "12345678901234567890123456789012",
      "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
      "options": {
        "hdwallet": {
          "coin": 60,
          "index": 0
        }
      }
    }'
HTTP/2 200

The same signature verification as illustrated above can also be accomplished using the hd_derivation_path of the derived key:

    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTI1NDI4LCJpYXQiOjE1OTk4MzkwMjgsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjJmZjE2YzczLTczOWItNDFmZi04MTM1LTM1NTQxOWY2M2RiMCIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.YlS8eQA1b9GjWhHjef08m0UQFg6nyQgvw34fPCEglfp48wWlLAwnLOmVZT0O3nHAf5f9XJljjLchGkS_vBqzs6xy39Paq81ywxJLU5PdNJFY13bhVjwTJCGWzL2pE8T5by2zaDHEjrsYfCr32ZY0o94pTzQEJ7f0TvjnyuE3l3B584u50d5gss_MOpf44-kOcX6T0KQwJmKA1rCWNrMQ4Hh3i1B-LoysGcOJhDJpuHCD6loijNIxvkjndQ2PeQXHqZ4ZKr0p4pIsexYflLdT1Szl59lpFipgCTomPVYAmBZX0MfZPlt30Pp62ANDs4qttH7-OrnK4m2_p6yeYGiRsf7TUj9NAYdHVetEYeu8oSgpQfmr0Z3jTxXFEY9t1cBPMB5zyBwzCMsTVjlG3xhGxr9SQ26uheMy7M-u9_8Kq-riZv2W79ALm22MSyYi7y0UeC3wG-hO8jrxns3kzV4heI3upwhXS2ccEZrpWbJe4S17egjpEDYAI3JIuWkggEzr_snB8xCV1-ZB2_r6aqdfmsj3QIZQK4U2c6Wa27NBA4hzE45qp_RMyiY7PZOzv0315TYa6qrio2qyUWRr29nHPOEAufg9L-aMYVKBOieL8VIWKw3RBVSDABN1sFWbFfiX0Pd5jny7zMxjHtoae5B-jgAzijIcH7xnvzkCBIySlhI' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/vaults/e0761eac-a6ba-45bd-9a16-9eea155e7816/keys/73d0144d-801d-49a0-86bb-5ee1fdcc9706/verify \
    -d '{
      "message": "12345678901234567890123456789012",
      "signature": "ed1eeedb6d5db4da744acddd0b9639566229a10f8cb0841210749b033261acb770e40267a4d8b28eda62d19c893950453b9acbbc816fbf267869d18e938da9d600",
      "options": {
        "hdwallet": {
          "hd_derivation_path": "m/44'/60'/0'/0/0"
        }
      }
    }'
HTTP/2 200

Detached Verification

In certain cases, you may need to verify the signature of a message which was signed by a third party. A Vault instance can perform such verification given the message, signature and public key. This is referred to as "detached verification" since the private key which signed the message does not exist in the Vault. Ephemeral keys are created in-memory to perform this verification by invoking the following API:

curl -i \
    -H 'Authorization: bearer eyJhbGciOiJSUzI1NiIsImtpZCI6IjEwOjJlOmQ5OmUxOmI4OmEyOjM0OjM3Ojk5OjNhOjI0OmZjOmFhOmQxOmM4OjU5IiwidHlwIjoiSldUIn0.eyJhdWQiOiJodHRwczovL3Byb3ZpZGUuc2VydmljZXMvYXBpL3YxIiwiZXhwIjoxNTk5OTIyNDU1LCJpYXQiOjE1OTk4MzYwNTUsImlzcyI6Imh0dHBzOi8vaWRlbnQucHJvdmlkZS5zZXJ2aWNlcyIsImp0aSI6IjNhMWRiZWY4LWIyYjUtNDllOC1hMTc3LTVhYTE2MTdhZGRiMSIsIm5hdHMiOnsicGVybWlzc2lvbnMiOnsic3Vic2NyaWJlIjp7ImFsbG93IjpbInVzZXIuNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIiwibmV0d29yay4qLmNvbm5lY3Rvci4qIiwibmV0d29yay4qLnN0YXR1cyIsInBsYXRmb3JtLlx1MDAzZSJdfX19LCJwcnZkIjp7InBlcm1pc3Npb25zIjo3NTUzLCJ1c2VyX2lkIjoiNGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0sInN1YiI6InVzZXI6NGM1ZDI5NjktYTQwYy00ZjZkLWFhMDItMjEzNTVmM2M5MDkxIn0.LY0VhXJ_MtbTHQ-RqwC9LqXTaOO83tH3fGQwvdSohtXrNNqhGyOXWecGvYMCP8SuJHEzEgj4NLBdspRD9kfWDdbuALLgEwwGN-iz4fwLfHo_AubmpnCt0gEea7CoGozgY-7pp7apTLAbGMQ_kjb0Az49CfV5eiRrM3ntkQkmEfyEurEOo-Q3u2kLJJKjTOfz5KDHYD5t78x-Srjxod9tqilm4sOM2nGTdcY4_Iuo5fFKPhahpxWgOOQnlfOymKm11UGDStv9_6vSgu-qiCEclK8RpY5f9EpbE6d4uFsJmmbtSOUlSVW5p-_-L86x3XNww9_B-S_tZ6e6kjsuD9JwJUxcQgegTcPqLpfuiiSFFgoNlk-JJsZXbF6-T5Y7hP6OspeG2NzUZ2xtliMyLm9fjwP4OEUkvKXQzC-Dh4M2fQSXyGv3lSmjRXUEltQzwvJ4i8nQ5qnDzYVyqXhEVg9lplcLOsJFiKcx1Ipm-akjWDn02cnOXjocP6ImbDiH4UF4IIHTqdpygoTqfRjL3j1JipCvmAumtbSwzXxbjWRgr_VXoCQ9FFaMPl7_WoVa5MQFwY3mH_IBxqNlXLihsJeZ97x6KGN_57yM8OTg30DBzKW38H3l--M88gIKJN-57sa59eej5ECf1n5Rek0TQupt9-OYFH0kmo1zBAydIjXVkdg' \
    -H 'Content-Type: application/json' \
    https://vault.provide.services/api/v1/verify \
    -d '{
      "message": "hello world",
      "signature": "5843e068858b6b90b3e64a8b162cf757f80881101cdf021a56bbe059b12ae9ae5fe87d6919725a10dfb0056d5689394269a16518d9987302e2353cde308d1e7c2a8eedad94ed2a88184b283df90dc7a89d42136b60082d8e6452afae443bf026a930c7eccef945934e4e870212d1c2ec16986c9b4ba249698bde419a4bbdc16b1fd16a820fd0094580a3a13d29e62a70cb020a15e9e57fef6b3576b00a563197985ca0d520a595d4183956faf2ef94983db46a16ddf206fa4726a71ffc4fed4d475916bd172b4a64dbf9b7b70165200588dac341f4ed500bb049b50c1847b156f07f59c7a7f849fb8d96e5b37074e643d734c865c69e1affd3c7ba71d81d6ac7",
      "public_key": "-----BEGIN PUBLIC KEY-----\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAuJwSYrTfqWzADY54qHne\n/WgAUo/1Tq5TkmNczWMx+6FiDRI2EpNdKi1711XvpvTe35JEXa5oYKmRQnMxhB29\nWvH5V8QnKXwIpSvtNqrueRHmRTLVrqcAiqxaNMJ/OQLLFqvqY8+pvUVDIf2Q+DWY\nIJHT105I7kyWCSjwi0NxG0Uf1KVswCY6ERRD7fPUkYUVHdc6eUG9/Va2aIXNmlu/\nr2yNTZxNAUT/zE+q/dnaVKAKMB2Orpj27XCP9i1rQsSaSdBqPxe9GTErZBLLMV5W\ndyELcT4NfhPXzJvN+czObtX0V8Kksszhb0etLMLKzUzAnQEFtY/SVQlKgExqWBKu\nGQIDAQAB\n-----END PUBLIC KEY-----\n",
      "options": {
        "algorithm": "PS256"
      } 
    }'
HTTP/2 200

Detached verification requires a public_key to be supplied in the request.

Last updated