Dfns API Documentation
  • 👋Welcome
  • Getting Started
    • Onboarding to Dfns
    • Dfns Environments
    • Core API Objects
    • Supported Assets
    • Postman
    • Dfns SDKs
    • Dashboard Videos
  • API Docs
    • Introduction
    • Authentication
      • Delegated Authentication
        • Delegated Registration
        • Delegated Registration Restart
        • Delegated Login
      • User Action Signing
        • Create User Action Signature Challenge
        • Create User Action Signature
      • Registration
        • Create User Registration Challenge
        • Complete User Registration
        • Complete End User Registration with Wallets
        • Resend Registration Code
        • Social Registration
      • Login
        • Create User Login Challenge
        • Complete User Login
        • Social Login
        • Logout
        • Send Login Code
      • Users
        • List Users
        • Create User
        • Get User
        • Activate User
        • Deactivate User
        • Archive User
      • Service Accounts
        • List Service Accounts
        • Create Service Account
        • Get Service Account
        • Update Service Account
        • Activate Service Account
        • Deactivate Service Account
        • Archive Service Account
      • Applications
        • List Applications
        • Create Application
        • Create Server-Signed Application
        • Get Application
        • Update Application
        • Activate Application
        • Deactivate Application
        • Archive Application
      • Personal Access Tokens
        • List Personal Access Tokens
        • Create Personal Access Token
        • Get Personal Access Token
        • Update Personal Access Token
        • Activate Personal Access Token
        • Deactivate Personal Access Token
        • Archive Personal Access Token
      • Credentials
        • Credentials Overview
        • API Reference
          • Create Credential Code
          • Create Credential Challenge
          • Create Credential Challenge With Code
          • Create Credential
          • Create Credential With Code
          • Deactivate Credential
          • Activate Credential
          • List Credentials
      • Recovery
        • Send Recovery Code Email
        • Create Recovery Challenge
        • Create Delegated Recovery Challenge
        • Recover User
    • Wallets
      • Create Wallet
      • Update Wallet
      • Delegate Wallet
      • Get Wallet by ID
      • List Wallets
      • Get Wallet Assets
      • Get Wallet NFTs
      • Get Wallet History
      • Tag Wallet
      • Untag Wallet
      • Transfer Asset from Wallet
      • Get Wallet Transfer Request by ID
      • List Wallet Transfer Requests
      • Sign and Broadcast Transaction from Wallet
        • Algorand: Broadcast Transaction
        • Bitcoin/Litecoin: Broadcast Transaction
        • Cardano: Broadcast Transaction
        • EVM: Broadcast Transaction
        • Polkadot: Broadcast Transaction
        • Solana: Broadcast Transaction
        • Stellar: Broadcast Transaction
        • Tezos: Broadcast Transaction
        • TRON: Broadcast Transaction
        • XRP Ledger (aka Ripple): Broadcast Transaction
      • Get Wallet Transaction Request by ID
      • List Wallet Transaction Requests
      • Generate Signature from Wallet
        • Algorand: Generate Signature
        • Aptos: Generate Signature
        • Bitcoin/Litecoin: Generate Signature
        • Cardano: Generate Signature
        • Cosmos Appchain: Generate Signature
        • EVM: Generate Signature
        • Polkadot: Generate Signature
        • Solana: Generate Signature
        • Stellar: Generate Signature
        • Tezos: Generate Signature
        • TRON: Generate Signature
        • TON: Generate Signature
        • XRP Ledger (aka Ripple): Generate Signature
        • Pseudo Networks (All other chains): Generate Signature
      • Get Wallet Signature Request by ID
      • List Wallet Signature Requests
      • Advanced Wallet APIs
        • Import Wallet
        • Export Wallet
    • Networks
      • Estimate fees
      • Read Contract
    • Policy Engine
      • Policies Overview
      • API Reference
        • Create Policy
        • Get Policy
        • List Policies
        • Update Policy
        • Archive Policy
        • Get Approval
        • List Approvals
        • Create Approval Decision
    • Permissions
      • Permissions Overview
      • API Reference
        • Get Permission
        • List Permissions
        • Create Permission
        • Update Permission
        • Archive Permission
        • Assign Permission
        • Revoke Permission
        • List Permission Assignments
    • Webhooks
      • Create Webhook
      • Get Webhook
      • List Webhooks
      • Update Webhook
      • Delete Webhook
      • Ping Webhook
      • Get Webhook Event
      • List Webhook Events
    • Dfns Change Log
    • API Errors
  • Integrations
    • Exchanges
      • Exchange Configuration
        • Kraken Setup
        • Binance Setup
        • Coinbase Prime Setup
      • API Reference
        • Create Exchange
        • List Exchanges
        • Get Exchange
        • Delete Exchange
        • List Exchange Accounts
        • List Exchange Account Assets
        • Create Exchange Deposit
        • Create Exchange Withdrawal
    • AML / KYT
      • Chainalysis
    • Staking
      • API Reference
        • Create Stake
        • List Stakes
    • Fiat On/Off-Ramps
    • Account Abstraction on EVMs
  • Advanced Topics
    • Authentication
      • API Authentication
      • Request Headers
      • Credentials
        • Generate a Key Pair
        • User Credentials
        • Access Token Credentials
        • Storing WebAuthn Credentials in Password Managers
      • Request Signing
      • API objects
    • Delegated Signing
    • API Idempotency
    • FAQ
  • Guides
    • Passkey Settings - Migration guide
Powered by GitBook
On this page

Last updated 10 months ago

All mutating requests need to be signed with a user/token credential.

Private Key Credentials

When signing with a private key you need to:

  1. Get a signing challenge from the Dfns API

  2. Sign the challenge

  3. Exchange the signed challenge for a user action signature with the Dfns API

  4. Complete the original request

The Signing Challenge

A signing challenge is returned from a call to:

  • /auth/action/init

You will recieve an object with the following properties (additional properties exist for signing with WebAuthn):

field
description

How to Sign the Challenge with the Private Key

The user signs the challenge to verify they want to perform the requested action.

After creating this object, the user will convert the object to a JSON string and sign the string.

When returning the signature to the server, the user will base64url encode the signature and the client data along with the ID of the credential that was used.

Signing Example

const signChallenge = (challenge: UserActionSignatureChallenge) => {
  /*
  challenge.allowCredentials.key is an array of registered credentials. If you have
  more than one key you may need to use challenge.allowCredentials.key[N].id to locate
  the key you are using. For example, you could have made your ID the base64url encoded name of the key on disk or in AWS KMS.

  In this example, we are just assuming there is only one key registered.
  
  Warning: You should always sanitize values coming from a remote location before using
  them in a secondary API. Passing a malicious ID to a filesystem command, for example,
  could allow a remote attacker to execute malicious commands on your system.
  */ 

  const clientData: Buffer = Buffer.from(
    JSON.stringify({
      type: 'key.get',
      challenge: challenge.challenge,
      origin: origin,
      crossOrigin: false,
    } as ClientData)
  )

  const signature = crypto.sign(
    undefined,
    clientData,
    apiKeyPrivateKey
  )

  return {
    clientData: clientData.toString('base64url'),
    credId: challenge.allowCredentials.key[0].id,
    signature: signature.toString('base64url'),
  }
}

The user needs to format the challenge into a.

  1. Advanced Topics
  2. Authentication

Request Signing

challenge

A string that will be signed with your private key

challengeIdentifier

A JWT that identifies the signing session

allowCredentials.key

The list of private key credentials that are enabled for the user

  • Private Key Credentials
  • The Signing Challenge
  • How to Sign the Challenge with the Private Key
Client Data object