Dfns API Documentation
  • 👋Welcome
  • Getting Started
    • Onboarding to Dfns
    • Dfns Environments
    • Core API Objects
    • Supported Assets
    • Postman
    • Dfns SDKs
    • Dashboard Videos
  • API Docs
    • Introduction
    • Authentication
      • Delegated Authentication
        • Delegated Registration
        • Delegated Registration Restart
        • Delegated Login
      • User Action Signing
        • Create User Action Signature Challenge
        • Create User Action Signature
      • Registration
        • Create User Registration Challenge
        • Complete User Registration
        • Complete End User Registration with Wallets
        • Resend Registration Code
        • Social Registration
      • Login
        • Create User Login Challenge
        • Complete User Login
        • Social Login
        • Logout
        • Send Login Code
      • Users
        • List Users
        • Create User
        • Get User
        • Activate User
        • Deactivate User
        • Archive User
      • Service Accounts
        • List Service Accounts
        • Create Service Account
        • Get Service Account
        • Update Service Account
        • Activate Service Account
        • Deactivate Service Account
        • Archive Service Account
      • Applications
        • List Applications
        • Create Application
        • Create Server-Signed Application
        • Get Application
        • Update Application
        • Activate Application
        • Deactivate Application
        • Archive Application
      • Personal Access Tokens
        • List Personal Access Tokens
        • Create Personal Access Token
        • Get Personal Access Token
        • Update Personal Access Token
        • Activate Personal Access Token
        • Deactivate Personal Access Token
        • Archive Personal Access Token
      • Credentials
        • Credentials Overview
        • API Reference
          • Create Credential Code
          • Create Credential Challenge
          • Create Credential Challenge With Code
          • Create Credential
          • Create Credential With Code
          • Deactivate Credential
          • Activate Credential
          • List Credentials
      • Recovery
        • Send Recovery Code Email
        • Create Recovery Challenge
        • Create Delegated Recovery Challenge
        • Recover User
    • Wallets
      • Create Wallet
      • Update Wallet
      • Delete Wallet
      • [deprecated] Delegate Wallet
      • Get Wallet by ID
      • List Wallets
      • Get Wallet Assets
      • Get Wallet NFTs
      • Get Wallet History
      • Tag Wallet
      • Untag Wallet
      • Transfer Asset
      • Get Transfer Request by ID
      • List Transfer Requests
      • Sign and Broadcast Transaction
        • Algorand
        • Aptos
        • Bitcoin / Litecoin
        • Canton
        • Cardano
        • EVM
        • Solana
        • Stellar
        • Tezos
        • TRON
        • XRP Ledger (Ripple)
      • Get Transaction Request by ID
      • List Transaction Requests
      • [deprecated] Generate Signature
      • Advanced Wallet APIs
        • Import Wallet
        • [deprecated] Export Wallet
    • Fee Sponsors
      • Create Fee Sponsor
      • Get Fee Sponsor
      • List Fee Sponsors
      • Activate Fee Sponsor
      • Deactivate Fee Sponsor
      • Delete Fee Sponsor
      • List Sponsored Fees
    • Keys
      • Create Key
      • Update Key
      • Delete Key
      • Delegate Key
      • Get Key by ID
      • List Keys
      • Generate Signature
        • Algorand
        • Aptos
        • Bitcoin / Litecoin
        • Cardano
        • Cosmos Appchain
        • EVM
        • Solana
        • Stellar
        • Substrate (Polkadot)
        • Tezos
        • TON
        • TRON
        • XRP Ledger (Ripple)
      • Get Signature Request by ID
      • List Signature Requests
      • Advanced Key APIs
        • Import Key
        • Export Key
    • Networks
      • Estimate fees
      • Read Contract
      • Validators
        • Create Validator
        • List Validators
    • Policy Engine
      • Policies Overview
      • API Reference
        • Create Policy
        • Get Policy
        • List Policies
        • Update Policy
        • Archive Policy
        • Get Approval
        • List Approvals
        • Create Approval Decision
    • Permissions
      • Permissions Overview
      • API Reference
        • Get Permission
        • List Permissions
        • Create Permission
        • Update Permission
        • Archive Permission
        • Assign Permission
        • Revoke Permission
        • List Permission Assignments
    • Webhooks
      • Create Webhook
      • Get Webhook
      • List Webhooks
      • Update Webhook
      • Delete Webhook
      • Ping Webhook
      • Get Webhook Event
      • List Webhook Events
    • Dfns Change Log
    • API Errors
  • Integrations
    • Exchanges
      • Exchange Configuration
        • Kraken Setup
        • Binance Setup
        • Coinbase Prime Setup
      • API Reference
        • Create Exchange
        • List Exchanges
        • Get Exchange
        • Delete Exchange
        • List Exchange Accounts
        • List Exchange Account Assets
        • Create Exchange Deposit
        • Create Exchange Withdrawal
    • AML / KYT
      • Chainalysis
    • Staking
      • API Reference
        • Create Stake
        • Create Stake Action
        • List Stakes
        • List Stake Actions
        • get Rewards
    • Fiat On/Off-Ramps
    • Account Abstraction on EVMs
  • Advanced Topics
    • Authentication
      • API Authentication
      • Request Headers
      • Credentials
        • Generate a Key Pair
        • User Credentials
        • Access Token Credentials
        • Storing WebAuthn Credentials in Password Managers
      • Request Signing
      • API objects
    • Delegated Signing
    • API Idempotency
    • FAQ
  • Guides
    • Passkey Settings - Migration guide
    • Keys & Multichain - Migration Guide
Powered by GitBook
On this page
  • What is Delegated Signing?
  • Delegated Signing Architecture
  • Delegated Signing User Experience
  • Delegated Signing Wallet Recovery
  • Questions on Delegated Signing
  1. Advanced Topics

Delegated Signing

Last updated 3 months ago

What is Delegated Signing?

Delegated Signing is an innovative approach to non-custodial wallet deployments leveraging Dfns' industry-leading authentication to create seamless user experiences enabled by familiar technologies . The goal of Delegated Signing is to optimize both user experience and security to onboard the next billion users to web3.

As we have engaged with market segments such as DeFi, tokenization, and payments, we have seen significant demand for a solution which can delegate custodial responsibility to the end-user while preserving a seamless, Web2-like onboarding experience to ensure high conversion rates. In response, we have designed a configuration we call Delegated Signing, which gives end-users all the benefits of a self-custodial wallet like Metamask without forcing them to securely persist a 24-word seed phrase (or any other mnemonic secret).

This page describes the architecture behind our Delegated Signing solution, how custody is delegated via an API signing secret, and how wallets can be recovered in the case of lost devices.

Delegated Signing Architecture

The following diagram illustrates the Delegated Signing architecture:

The key shares (labeled 1 through 5 above on the right side) are encrypted and stored in our decentralized signer network. Our signers implement leading peer-reviewed cryptographic protocols for distributed key generation and threshold signatures. They are spread across Tier 3+ data centers and different geographical regions to ensure high levels of service availability, fault-tolerance, and business continuity.

Our decentralized custody network will be extended to include permissioned partners who are compensated for generating keys and signing transactions. No single entity will hold a threshold of key shares for any given wallet (i.e., the total number of key shares required to move assets on-chain). Hence, Dfns can guarantee high levels of governance neutrality, demonstrate that the private key does not exist in its full format, and ensure that no single party can move assets unilaterally.

This architecture ensures that transactions can only be executed via the API. Therefore, API security becomes paramount. The Dfns security team has built a multi-level authentication, authorization, and governance architecture to ensure full accountability of API usage. At the heart of this architecture are the signing secrets (illustrated with the key icons on the left side of the diagram above).

Delegated Signing User Experience

  1. The user registers with your product using the credentials of their choice including social login.

  2. They create a wallet, establishing signing credentials via biometrics. This is executed via a simple Dfns API call.

  3. They purchase or transfer assets into the wallet. When they want to execute an outbound transaction, they verify via biometrics again, silently signing the transaction on their device.

The Delegated Signing architecture relieves the Dfns client from the regulatory burden of financial custodianship by ensuring that they do not have the ability to manipulate the assets of their users on chain. This is cryptographically proven given that they never have access to the signing secret kept by their user which is required to execute transactions against the API.

Delegated Signing Wallet Recovery

By leveraging an API signing secret as a proxy for the blockchain private key, the risks described above are substantially mitigated. Unlike a blockchain private key, the signing secret is not immutable. If it is stolen, it can be revoked. If it is lost, it can be re-established. See below a table comparing the properties between a blockchain-bound Private Key and an API Key.

Of course, there are trade-offs. This architecture creates new potential attack vectors for bad actors. For instance, a hacker may impersonate a legitimate user in order to gain access to their wallet via the recovery process. In order to mitigate this risk, Dfns provides guidance on recovery mechanisms which our clients can implement.

Additionally, similar to password manager solutions like 1Password, end-users can receive a recovery code which they are instructed to keep securely offline. Should the user lose their device, this code can be provided via the Dfns client’s application in order to re-establish access to their wallet.

Alternatively, some Dfns clients require their end-users to go through a KYC process. This process can be re-initiated for users who have lost access to their devices in order to validate their identities and re-establish credentials. The KYC vendor in this case serves as a gate to a recovery secret the user can access once checks are passed that can be used to sign a recovery challenge.

Questions on Delegated Signing

Delegated Signing is an innovative approach to optimizing the security and user experience of noncustodial wallets. Dfns is committed to partnering with our customers to onboard the next billion users through familiar technologies like biometrics.

Have a follow up question on Delegated Signing? Feel free to reach out to us in DfnsCare or at docs@dfns.co.

Instead, our design scheme suggests that control of the API is the new proof of custodianship. This control is dictated by the combination of an access token and a signing secret as described above in . Using Dfns, platforms can decide whether they want to keep the API control on-premise (custodial mode) or delegate it to their end-users’ devices exempting themselves from any custodial responsibility (end-user-custodial mode, or self-custodial mode).

Dfns’ requires that all requests to the API capable of changing state in the system or on chain (POST, PUT, and DELETE requests specifically) must be signed by a secret known only to the custodian of the assets. The authentication service validates the signature and writes an immutable log of the transaction, cryptographically proving the source of the API call.

In a Delegated Signing configuration, our client delegates custodianship to their end-user by building an onboarding flow in which the user generates and persists a signing secret on their device. In order to enable frictionless user experiences, we have integrated the passwordless open protocol. WebAuthn is natively integrated into all major browsers and mobile operating systems, exposing seamless access to biometrics, pin codes, and Yubikeys. This enables an onboarding flow such as the following:

Most self-custodial wallets like Metamask or Ledger require users to indefinitely safekeep a 24-word seed phrase to guarantee access to their assets. Even early adopters of cryptocurrencies who are familiar with the technical constraints of self-custodial wallets have proven time and again incapable of managing keys safely, as seen most recently in the unfortunate case of .

For example, Dfns clients can implement "biometric recovery" by encouraging users to on alternate devices. In this way, if a user lose access to their primary device (for example, their phone), they can still access their wallet via a secondary device like their laptop.

Authentication
Authentication
WebAuthn 3.0
a bitcoin core developer losing his funds
create secondary credentials
like biometrics