> ## Documentation Index
> Fetch the complete documentation index at: https://docs.dfns.co/llms.txt
> Use this file to discover all available pages before exploring further.
# Derive Key
> Dfns decentralized key management network supports threshold Diffie-Hellman protocol based on [GLOW20 paper](https://eprint.iacr.org/2020/096). You can use the DH protocol to derive output from a domain separation tag and a seed value. The derivation process is deterministic, i.e. the same Diffie-Hellman key and seed will lead to the same derived output. To ensure reproducibility, we use hash to curve [RFC9380](https://www.rfc-editor.org/rfc/rfc9380.html) and standard ciphersuite `secp256k1_XMD:SHA-256_SSWU_RO_`.
The seed doesn’t need to be secret. Without access to the DH key, it is not possible to do the derivation, even if the seed is known. Moreover, if both seed and derived output are known, it’s also not possible to do the derivation for another seed without having access to the DH key.
This endpoint only supports Diffie-Hellman keys. Regular threshold signature keys, like `ECDSA` or `EdDSA`, will not work. You can create a Diffie-Hellman key with the [Create Key](https://docs.dfns.co/api-reference/keys/create-key) endpoint using `scheme=DH` and `curve=secp256k1`.
## OpenAPI
````yaml /openapi.yaml post /keys/{keyId}/derive
openapi: 3.1.0
info:
version: 1.807.0
title: Dfns
servers:
- url: https://api.dfns.io
description: Default - Europe
- url: https://api.uae.dfns.io
description: UAE
- url: https://api.dfns.ninja
description: Staging
security: []
paths:
/keys/{keyId}/derive:
post:
tags:
- Keys
summary: Derive Key
description: >-
Dfns decentralized key management network supports threshold
Diffie-Hellman protocol based on [GLOW20
paper](https://eprint.iacr.org/2020/096). You can use the DH protocol to
derive output from a domain separation tag and a seed value. The
derivation process is deterministic, i.e. the same Diffie-Hellman key
and seed will lead to the same derived output. To ensure
reproducibility, we use hash to curve
[RFC9380](https://www.rfc-editor.org/rfc/rfc9380.html) and standard
ciphersuite `secp256k1_XMD:SHA-256_SSWU_RO_`.
The seed doesn’t need to be secret. Without access to the DH key, it is
not possible to do the derivation, even if the seed is known. Moreover,
if both seed and derived output are known, it’s also not possible to do
the derivation for another seed without having access to the DH key.
This endpoint only supports Diffie-Hellman keys. Regular threshold
signature keys, like `ECDSA` or `EdDSA`, will not work. You can create a
Diffie-Hellman key with the [Create
Key](https://docs.dfns.co/api-reference/keys/create-key) endpoint using
`scheme=DH` and `curve=secp256k1`.
parameters:
- schema:
type: string
minLength: 1
required: true
name: keyId
in: path
requestBody:
content:
application/json:
schema:
type: object
properties:
domain:
type: string
pattern: ^(0x)?([0-9a-fA-F][0-9a-fA-F])*$
seed:
type: string
pattern: ^(0x)?([0-9a-fA-F][0-9a-fA-F])*$
required:
- domain
- seed
additionalProperties: false
responses:
'200':
description: Success
content:
application/json:
schema:
type: object
properties:
output:
type: string
required:
- output
security:
- authenticationToken: []
userActionSignature: []
components:
securitySchemes:
authenticationToken:
type: http
scheme: bearer
bearerFormat: JWT
description: >-
**Bearer Token:** Used to authenticate API requests.
More details how to generate the token: [Authentication
flows](https://docs.dfns.co/api-reference/auth/login-flows)
userActionSignature:
type: apiKey
in: header
name: X-DFNS-USERACTION
description: >-
**User Action Signature:** Used to sign the change-inducing API
requests.
More details how to generate the token: [User Action Signing
flows](https://docs.dfns.co/api-reference/auth/signing-flows)
````