Skip to main content

Overview

Some cryptographic and legal endpoints require two signatures:
  • Key signature: proves knowledge of the key password.
  • Request signature: proves knowledge of the account password.
This protects both the stored key material and the API request.

Key IDs

Key IDs are unique per account. Different accounts can reuse the same key ID without conflict.

Key signature

The key signature is typically an HMAC over the key ID using the key password as the key. It is never sent in plaintext.

Request signature

The request signature is an HMAC over the request payload using the account password as the key, often combined with a nonce.