curl --request POST \
  --url https://api.privy.io/v1/user_authorization_key/authenticate \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --header 'privy-app-id: <privy-app-id>' \
  --header 'privy-authorization-signature: <authorization-signature-for-request>' \
  --data '{}'

{
  "authorization_key": "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgsqM8IKMlpFxVypBUa/Q2QvB1AmS/g5WHPp3SKq9A75uhRANCAATeX6BDghwclKAH8+/7IjvS1tCpvIfZ570IR44acX93pUGz5iEvpkg+HGaalHAXubuoUMq9CUWRm4wo+3090Nus",
  "user_id": "clgmdmpce0004ic08tl6qy4i9",
  "wallet_id": "clwjfdaxn0001ciy7xko7204e"
}

This feature is currently in development and will be available in an upcoming release.

This endpoint can optionally return the authorization key using Hybrid Public Key Encryption (HPKE) by specifying encryption details in the request body. The following HPKE configuration is supported:

  • KEM (Key Encapsulation Mechanism): DHKEM_P256_HKDF_SHA256
  • KDF (Key Derivation Function): HKDF_SHA256
  • AEAD (Authenticated Encryption with Associated Data): CHACHA20_POLY1305
  • Mode: BASE

If encryption details are included in the request, the response authorization_key will be ciphertext and must be decrypted.

curl --request POST \
  --url https://api.privy.io/v1/user_authorization_key/authenticate \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --header 'privy-app-id: <privy-app-id>' \
  --header 'privy-authorization-signature: <authorization-signature-for-request>' \
  --data '{}'

{
  "authorization_key": "MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgsqM8IKMlpFxVypBUa/Q2QvB1AmS/g5WHPp3SKq9A75uhRANCAATeX6BDghwclKAH8+/7IjvS1tCpvIfZ570IR44acX93pUGz5iEvpkg+HGaalHAXubuoUMq9CUWRm4wo+3090Nus",
  "user_id": "clgmdmpce0004ic08tl6qy4i9",
  "wallet_id": "clwjfdaxn0001ciy7xko7204e"
}

Headers

privy-app-id
string
required

ID of your Privy app.

privy-authorization-signature
string

Request authorization signature. If multiple signatures are required, they should be comma separated.

Body

encryption_type
string
required

Currently only supports HPKE (Hybrid Public Key Encryption) or NONE. The request will still be protected by TLS.

recipient_public_key
string

Base64-encoded public key of the recipient who will decrypt the session key. This key must be generated securely and kept confidential. If encryption_type is HPKE, this field is required.

Response

authorization_key
string
required

Authorization key corresponding to the user’s current authentication session. This is a one-time use session key. If encryption details are specified in the request, this will be ciphertext requiring decryption.

user_id
string
required

The user ID associated with the authenticated user. This is a unique identifier that corresponds one-to-one with each unique sub identifier in the user’s authentication token.

wallet_id
string
required

The wallet ID associated with the authenticated user.

encryption_type
string

Will be HPKE to indicate Hybrid Public Key Encryption was used, or NONE if the app opts out of advanced encryption. This will only be populated if encryption details are specified in the request.

encapsulated_key
string

Base64-encoded ephemeral public key used in the HPKE encryption process. Required for decryption. This will only be populated if encryption details are specified in the request.

Was this page helpful?