Steps
At a high-level, directly implementing request signing requires the following steps:Build signature payload
Generate a JSON payload containing the following fields. All fields are required unless otherwise specified.
| Field | Type | Description | |||
|---|---|---|---|---|---|
version | 1 | Authorization signature version. Currently, 1 is the only version. | |||
method | 'POST' | 'PUT' | 'PATCH' | 'DELETE' | HTTP method for the request. Signatures are not required on 'GET' requests. | |||
url | string | The full URL for the request. Should not include a trailing slash. | |||
body | JSON | JSON body for the request. | |||
headers | JSON | JSON object containing any Privy-specific headers, e.g. those that are prefixed with 'privy-'. This should not include any other headers, such as authentication headers, content-type, or trace headers. | |||
headers['privy-app-id'] | string | Privy app ID header (required). | |||
headers['privy-idempotency-key'] | string | Privy idempotency key header (optional). If the request does not contain an idempotency key, leave this field out of the payload. |
Canonicalize signature payload
Next, canonicalize the payload per RFC 8785 and serialize it to a string. This GitHub repository links to various libraries for JSON canonicalization in different languages.
Sign signature payload
Sign the serialized JSON with ECDSA P-256 using the private key of your user key or authorization key and serialize it to a base64-encoded string.