Import Key

Last updated 10 days ago

Import Key

POST /keys/import

This endpoint is not enabled by default. Contact Dfns to have it activated.
User action signature required. See for more information.
Request headers required. See for more information.
Authentication required. See for more information.

Dfns secures private keys by generating them as MPC key shares in our decentralized key management network. This happens by default when you create a or .

In some circumstances, however, you may need to import an existing private key into Dfns infrastructure, instead of creating a brand new wallet with Dfns and transfer funds to it. As an example, you might want to keep an existing wallet if its address is tied to a smart contract which you don't want to re-deploy.

In such a case, Dfns exposes this key import API endpoint, which can be used in conjunction with our . Note this is intended to be used only to migrate wallets when first onboarding onto the Dfns platform.

Dfns can not guarantee the security of imported wallets, as we have no way to control who had access to the private key prior to import. For this reason, this feature is restricted to Enterprise customers who have signed a contractual addendum limiting our liability for imported keys. Please contact your sales representative for more information.

Required Permissions

Name

Conditions

Signers:ListSigners

Always Required

Keys:Import

Always Required

Key Import Flow

The private key which you need to import will never be transmitted to Dfns API in one piece or in the clear (un-encrypted). The process is:

On your side (client-side), you call our GET /signers endpoint to get some information about your Signing Cluster. Your Signing Cluster is the network of nodes (also referred as "signers") the key shares will be imported to. This will provide you with useful information for import (signer IDs, import encryption keys, etc.). This step corresponds to in our SDK key import example.
With the help of our , the private key is MPC-sharded on the client side, and each key share is then get encrypted with the corresponding signer encryption key it will get imported to. This step corresponds to in our SDK key import example.
You then call the Key Import endpoint, providing the API with each encrypted key share. This step corresponds to in our SDK key import example.
Each of those encrypted key shares is transmitted to the corresponding secure node in the Signing Cluster. Each node will then be able to securely decrypt its key share, validate that it is correct, secure it and store it the same way as any key in Dfns infrastructure.

Request Body

Property

Description

Type - Optional

name

A name for the key.

String

protocol

CGGMP21, FROST, FROST_BITCOIN

String

curve

secp256k1, edd25519, stark

String

minSigners

Always 3. Mininum number of signers to complete a signature (TSS threshold).

Integer

encryptedKeyShares

An array of objects containing the encrypted keyshares. See format below.

Array<EncryptedKeyShare>

EncryptedKeyShare

Property

Description

Type - Optional

signerId

ID of the signer returned from List Signers.

String

encryptedKeyShare

The key share encrypted with the signer encryption key (public key, asymmetric encryption).

String

Example

{
  "name": "hardhat key",
  "protocol": "CGGMP21",
  "curve": "secp256k1",
  "minSigners": 3,
  "encryptedKeyShares": [
    {
      "signerId": "EX5PdJFcutVTJCgAcSGGGy264JwnrOLLyrZIqMHG67I=",
      "encryptedKeyShare": "ilp3...yP4W"
    },
    {
      "signerId": "KaGnB8iWVpRKBRh+/sAJ0gz1cAZtjhHPufGRgkOXENo=",
      "encryptedKeyShare": "LtqC...r0vR"
    },
    {
      "signerId": "ZokM6nUhGXHYhtQYE/NTeBEz5udvx13Ympcd1raQ4Fc=",
      "encryptedKeyShare": "BFDF...lHMC"
    },
    {
      "signerId": "lGcHWQmdLtJ+4S+RIBFq704/Nox2bugUctVeLL0wPW8=",
      "encryptedKeyShare": "JH7L...sR8U"
    },
    {
      "signerId": "9R4OQb12f8PrEQwFmwZ58ZsNHs6EcGQPWF3fSzhXbVk=",
      "encryptedKeyShare": "R9p9...N+nX"
    }
  ]
}

Response Body

200 Success

{
  "id": "key-6ece3-9l565-xxxxxxxxxxxxxxxx",
  "name": "hardhat key",
  "scheme": "ECDSA",
  "curve": "secp256k1",
  "publicKey": "02660461d66a637ea2d2ee3565669ad794f51ca3e0812ff03a0fe4820a19754839",
  "status": "Active",
  "custodial": true,
  "imported": true,
  "dateCreated": "2025-03-26T20:25:52.909Z"
}

Last updated 10 days ago

POST /keys/import

This endpoint is not enabled by default. Contact Dfns to have it activated.
User action signature required. See for more information.
Request headers required. See for more information.
Authentication required. See for more information.

Dfns secures private keys by generating them as MPC key shares in our decentralized key management network. This happens by default when you create a or .

Required Permissions

Name

Conditions

Signers:ListSigners

Always Required

Keys:Import

Always Required

Key Import Flow

The private key which you need to import will never be transmitted to Dfns API in one piece or in the clear (un-encrypted). The process is:

On your side (client-side), you call our GET /signers endpoint to get some information about your Signing Cluster. Your Signing Cluster is the network of nodes (also referred as "signers") the key shares will be imported to. This will provide you with useful information for import (signer IDs, import encryption keys, etc.). This step corresponds to in our SDK key import example.
With the help of our , the private key is MPC-sharded on the client side, and each key share is then get encrypted with the corresponding signer encryption key it will get imported to. This step corresponds to in our SDK key import example.
You then call the Key Import endpoint, providing the API with each encrypted key share. This step corresponds to in our SDK key import example.
Each of those encrypted key shares is transmitted to the corresponding secure node in the Signing Cluster. Each node will then be able to securely decrypt its key share, validate that it is correct, secure it and store it the same way as any key in Dfns infrastructure.

Request Body

Property

Description

Type - Optional

name

A name for the key.

String

protocol

CGGMP21, FROST, FROST_BITCOIN

String

curve

secp256k1, edd25519, stark

String

minSigners

Always 3. Mininum number of signers to complete a signature (TSS threshold).

Integer

encryptedKeyShares

An array of objects containing the encrypted keyshares. See format below.

Array<EncryptedKeyShare>

EncryptedKeyShare

Property

Description

Type - Optional

signerId

ID of the signer returned from List Signers.

String

encryptedKeyShare

The key share encrypted with the signer encryption key (public key, asymmetric encryption).

String

Example

{
  "name": "hardhat key",
  "protocol": "CGGMP21",
  "curve": "secp256k1",
  "minSigners": 3,
  "encryptedKeyShares": [
    {
      "signerId": "EX5PdJFcutVTJCgAcSGGGy264JwnrOLLyrZIqMHG67I=",
      "encryptedKeyShare": "ilp3...yP4W"
    },
    {
      "signerId": "KaGnB8iWVpRKBRh+/sAJ0gz1cAZtjhHPufGRgkOXENo=",
      "encryptedKeyShare": "LtqC...r0vR"
    },
    {
      "signerId": "ZokM6nUhGXHYhtQYE/NTeBEz5udvx13Ympcd1raQ4Fc=",
      "encryptedKeyShare": "BFDF...lHMC"
    },
    {
      "signerId": "lGcHWQmdLtJ+4S+RIBFq704/Nox2bugUctVeLL0wPW8=",
      "encryptedKeyShare": "JH7L...sR8U"
    },
    {
      "signerId": "9R4OQb12f8PrEQwFmwZ58ZsNHs6EcGQPWF3fSzhXbVk=",
      "encryptedKeyShare": "R9p9...N+nX"
    }
  ]
}

Response Body

See .

200 Success

{
  "id": "key-6ece3-9l565-xxxxxxxxxxxxxxxx",
  "name": "hardhat key",
  "scheme": "ECDSA",
  "curve": "secp256k1",
  "publicKey": "02660461d66a637ea2d2ee3565669ad794f51ca3e0812ff03a0fe4820a19754839",
  "status": "Active",
  "custodial": true,
  "imported": true,
  "dateCreated": "2025-03-26T20:25:52.909Z"
}