Export Key

curl --request POST \
  --url https://api.dfns.io/keys/{keyId}/export \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '{
  "encryptionKey": "<string>",
  "supportedSchemes": [
    {
      "protocol": "CGGMP24",
      "curve": "ed25519"
    }
  ]
}'

{
  "publicKey": "<string>",
  "protocol": "CGGMP24",
  "curve": "ed25519",
  "minSigners": 123,
  "encryptedKeyShares": [
    {
      "signerId": "<string>",
      "encryptedKeyShare": "<string>"
    }
  ]
}

Export Key

Dfns secures private keys by generating them as MPC key shares in our decentralized key management network. Our goal is to eliminate all single points of failure (SPOFs) associated with blockchain private keys.

In certain circumstances, however, customers require Dfns to export a private key. In this case, Dfns exposes the following endpoint which can be used in conjunction with our export SDK.

Dfns can not guarantee the security of exported keys as we have no way to control blockchain transactions once the single point of failure has been reconstituted. For this reason, this feature is restricted to customers who have signed a contractual addendum limiting our liability for exported keys. Additionally, by default exported keys can no longer be used to sign within the Dfns platform. Please contact your sales representative for more information.

POST

keys

{keyId}

export

Export Key

curl --request POST \
  --url https://api.dfns.io/keys/{keyId}/export \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '{
  "encryptionKey": "<string>",
  "supportedSchemes": [
    {
      "protocol": "CGGMP24",
      "curve": "ed25519"
    }
  ]
}'

{
  "publicKey": "<string>",
  "protocol": "CGGMP24",
  "curve": "ed25519",
  "minSigners": 123,
  "encryptedKeyShares": [
    {
      "signerId": "<string>",
      "encryptedKeyShare": "<string>"
    }
  ]
}

Authentication

✅ Organization User (CustomerEmployee)
✅ Delegated User (EndUser)
✅ Service Account

Required Permissions

Keys:Export: Always required.

Authorizations

Authorization

string

header

required

Bearer Token: Used to authenticate API requests. More details how to generate the token: Authentication flows

X-DFNS-USERACTION

string

header

required

User Action Signature: Used to sign the change-inducing API requests. More details how to generate the token: User Action Signing flows

Path Parameters

keyId

string

required

Minimum string length: 1

Body

application/json

encryptionKey

string

required

Minimum string length: 1

supportedSchemes

object[]

required

Show child attributes

supportedSchemes.protocol

required

Available options:

CGGMP24,

FROST,

FROST_BITCOIN,

GLOW20_DH,

KU23

supportedSchemes.curve

enum<string>

required

Available options:

ed25519,

secp256k1,

stark

Response

200 - application/json

Success

publicKey

string

required

protocol

required

Available options:

CGGMP24,

FROST,

FROST_BITCOIN,

GLOW20_DH,

KU23

curve

enum<string>

required

Available options:

ed25519,

secp256k1,

stark

minSigners

number

required

The TSS threshold of the wallet private signing key shares

encryptedKeyShares

object[]

required

Keyshares of the exported wallet. They are encrypted with the provided encryption key. The exported private key is re-constructed from these keyshares.

Show child attributes

encryptedKeyShares.signerId

string

required

Base64-encoded ID of the signer exported the encrypted keyshare

Base64-encoded keyshare

Derive Key

Import Key

⌘I

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

Export Key

Authentication

Required Permissions

Authorizations

Path Parameters

Body

Response

API Authorization

Identity & Access Management

Wallets & Transactions

Management

Webhooks

​Authentication

​Required Permissions

Authorizations

Path Parameters

Body

Response

Authentication

Required Permissions