Skip to main content
The Key is a core API resource in Dfns. It represents a distributed private key managed by our MPC network. You don’t interact with the key material directly; instead, you use its unique keyId to perform cryptographic operations. The Key object has two primary functions for a developer:
  1. To create Wallet objects.
  2. To sign arbitrary data (raw signing).

1. Creating Multi-chain Wallets from a Key

A single Key object is blockchain-agnostic and can be used to derive multiple Wallet objects across different networks. This creates a one-to-many relationship that simplifies your infrastructure, as you only need to reference one keyId to manage assets on various chains. Think of it like this:
  • Key (with keyId)
    • -> Wallet (Ethereum, with address and walletId)
    • -> Wallet (Solana, with address and walletId)
    • -> Wallet (Bitcoin, with address and walletId)
When you call the Create Wallet endpoint, you can pass the signingKey in the request body to specify which underlying key should control the new wallet.

2. Performing Raw Signing

The most powerful feature of the Key object is the ability to perform raw signing. This is essential for any action beyond a simple asset transfer, such as interacting with a smart contract or signing an off-chain message. You do this by making a POST request to the /keys/{keyId}/signatures endpoint. Your application is then responsible for broadcasting the transaction with the returned signature to the network. This gives you full control over transaction assembly, gas, and nonce management, while Dfns handles the secure signing operation.
What about broadcasting?The Key object only signs. Broadcasting is a function of the Wallet object, as it is network-specific. See the Sign & Broadcast endpoint for broadcasting after the signature has been issued.
Head to the Sign and Broadcast pages to find more information about those endpoints.

Security: The Developer Takeaway

From a developer’s perspective, the security model is simple: the Key object is a inaccessible secret. You can use it to generate signatures, but you can never read the underlying private key material. Our MPC architecture enforces this guarantee. For a deeper technical dive, see our MPC Architecture page.

Key object

id
string
required

Unique identifier for the key.

Required string length: 1 - 64
Pattern: ^key-[a-z0-9]{5}-[a-z0-9]{5}-[a-z0-9]{14,16}$
Example:

"key-01snl-t56gb-j8tsok0vn802p80i"

scheme
enum<string>
required

The cryptographic scheme for the key.

Available options:
ECDSA,
EdDSA,
Schnorr
curve
enum<string>
required

The elliptic curve for the key.

Available options:
ed25519,
secp256k1,
stark
publicKey
string
required

Hex-encoded public key.

status
enum<string>
required

Current status of the key.

Available options:
Active,
Archived
custodial
boolean
required

Whether the key is custodial (owned by organization) or non-custodial (delegated to end user).

dateCreated
string<date-time>
required

ISO 8601 date (must be UTC). When the key was created.

Example:

"2023-04-14T20:41:28.715Z"

masterKey
boolean

Whether this key can be used as a master key for HD derivation.

derivedFrom
object

Derivation info if this key was derived from a master key.

name
string

Nickname for the key.

imported
boolean

Whether this key was imported.

exported
boolean

Whether this key has been exported.

dateExported
string<date-time>

ISO 8601 date (must be UTC). When the key was exported.

Example:

"2023-04-14T20:41:28.715Z"

dateDeleted
string<date-time>

ISO 8601 date (must be UTC). When the key was deleted.

Example:

"2023-04-14T20:41:28.715Z"

Last modified on February 6, 2026