Derive Key

curl --request POST \
  --url https://api.dfns.io/keys/{keyId}/derive \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "domain": "<string>",
  "seed": "<string>"
}
'

{
  "output": "<string>"
}

Derive Key

Dfns decentralized key management network supports threshold Diffie-Hellman protocol based on GLOW20 paper. You can use the DH protocol to derive output from a domain separation tag and a seed value. The derivation process is deterministic, i.e. the same Diffie-Hellman key and seed will lead to the same derived output. To ensure reproducibility, we use hash to curve RFC9380 and standard ciphersuite secp256k1_XMD:SHA-256_SSWU_RO_.

The seed doesn’t need to be secret. Without access to the DH key, it is not possible to do the derivation, even if the seed is known. Moreover, if both seed and derived output are known, it’s also not possible to do the derivation for another seed without having access to the DH key.

This endpoint only supports Diffie-Hellman keys. Regular threshold signature keys, like ECDSA or EdDSA, will not work. You can create a Diffie-Hellman key with the Create Key endpoint using scheme=DH and curve=secp256k1.

POST

keys

{keyId}

derive

Derive Key

curl --request POST \
  --url https://api.dfns.io/keys/{keyId}/derive \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "domain": "<string>",
  "seed": "<string>"
}
'

{
  "output": "<string>"
}

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
✅ Service Account

Required Permissions

Keys:Derive: Always required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION

string

header

required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Path Parameters

keyId

string

required

Minimum string length: 1

Body

application/json

domain

string

required

Pattern: ^(0x)?([0-9a-fA-F][0-9a-fA-F])*$

seed

string

required

Pattern: ^(0x)?([0-9a-fA-F][0-9a-fA-F])*$

Response

200 - application/json

Success

output

string

required

Last modified on March 19, 2026

Delete Key

Export Key

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Derive Key

Authentication

Required Permissions

Authorizations

Path Parameters

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Path Parameters

Body

Response

Authentication

Required Permissions