You can specify the key quorum ID as the owner_id when creating a wallet or policy, which will require the quorum to sign for updates to the resource or actions taken with the resource.

Taking actions with wallets

Signatures from the wallet’s owner are also required to take actions on a wallet. You can grant permissions to additional keys or quorums by specifying them as additional_signers on the wallet.

Collecting required signatures

To make requests with a wallet with quorum approvals, you’ll need to:

  1. Prepare the request payload that you want to make.
  2. Generate authorization signatures with the required number of authorization keys to satisfy the authorization threshold.
  3. Send the signatures along with the request payload to the Privy API via the privy-authorization-signature header, with the signatures separated by commas.

See Generating signatures for examples.

Each authorization signature must be created with the exact same request payload to be valid.

For distributed approvals, consider implementing a central coordinator service that collects signatures from each authorizer before submitting the request to Privy.

Submitting multi-signature requests

Once you’ve collected the required signatures, combine them in a comma-separated list and include them in the privy-authorization-signature header:

curl --request POST https://api.privy.io/v1/wallets/y5ofctvacjiv53u4hmnqi0e5/rpc \
-u "<your-privy-app-id>:<your-privy-app-secret>" \
-H "privy-app-id: <your-privy-app-id>" \
-H "privy-authorization-signature: <sig1>,<sig2>" \
-H 'Content-Type: application/json' \
-d '{
  "caip2": "eip155:1",
  "method": "eth_sendTransaction",
  "params": {
    "transaction": {
      "to": "0xE3070d3e4309afA3bC9a6b057685743CF42da77C",
      "value": "0x2386f26fc10000",
      "data": "0x"
    }
  }
}'

Privy validates that:

  1. The required number of signatures are provided.
  2. All signatures are valid for the request payload.
  3. All signatures come from authorization keys for the wallet.

If any validation fails, the request is rejected.

Securing your authorization flow

For production systems using quorum approvals, consider these best practices:

  1. Store authorization keys in secure environments.
  2. Maintain comprehensive logs of authorization requests and signatures.
  3. For wallets with quorum approvals, always make sure authorization keys are managed by different entities.

Combine key quorums with policies for even stronger security guarantees.