Authorization signatures
Securing Privy API requests with authorization signatures
Overview
Owners provide an additional layer of security for actions taken by your app’s wallets. This primitive helps ensure that only actions explicitly authorized by your server are executed on user wallets.
When you specify an owner of a resource, all requests to update that resource must be signed with the associated key (user, authorization key, or key quorum). Requests to take actions with a wallet must also be signed by the wallet’s owner. This security measure verifies that each request comes from your authorized backend systems and helps prevent unauthorized operations.
Authorization signatures are an important security measure and we strongly recommend registering authorization keys for all production resources.
Learn more about owners and authorization signatures.
When are they necessary?
Authorization signatures are necessary in the following cases.
Updating wallets and policies
All critical resources, such as wallets and policies, have an owner_id
field, which indicates the authorization key or quorum whose signatures are required in order to modify the given resource.
This means, if the owner_id
is set, authorization signatures are required for all PATCH
and DELETE
requests to the resource. This includes:
PATCH /v1/wallets/[wallet_id]
DELETE /v1/wallets/[wallet_id]
PATCH /v1/policies/[policy_id]
DELETE /v1/policies/[policy_id]
Signatures from the wallet’s owner are required to take actions on a wallet by default. If an owner_id
is set, authorization signatures are required for:
POST /v1/wallets/<wallet_id>/rpc
Executing actions with wallets
Executing actions with wallets requires authorization signature(s) from the wallet’s owner, if the wallet has an owner. This includes:
POST /v1/wallets/[wallet_id]/rpc
Updating key quorums
Though key quorums do not have owners, updating or deleting a key quorum requires a satisfying set of signatures from the existing key quorum that meet the authorization threshold. This includes:
PATCH /v1/key_quorums/[key_quorum_id]
DELETE /v1/key_quorum/[key_quorum_id]
Signatures from the wallet’s owner are required to take actions on a wallet by default. If an owner_id
is set, authorization signatures are required for:
Usage
At a high-level, the flow of using authorization signatures is as follows:
Get your private keys
Get the private keys that you will use to sign your request. This might be retrieved from the private keys you saved locally (app owners and key quorum owners) or requested from the Privy API using a user JWT (user owners).
Construct your request
Construct the request that you intend to make to Privy. This might be updating or deleting wallets, updating or deleting policies, updating or deleting key quorums, or taking actions with wallets.
Sign the request
Include the signature as a request header
Finally, when making your request to Privy, include the authorization signature(s) as a string
in the privy-authorization-signature
header.
Getting authorization keys
To start, get the private keys for the authorization key(s) that owner your resource.
If the owner of your resource is an authorization key, get the private key(s) that you saved locally when creating your owner in the Privy API or Dashboard. Privy does not save these private key(s) and cannot help you recover them.
If the owner of your resource is a user, request a time-bound user key to take actions with or update the resource. Follow the guide below to learn how to request user keys given a user’s access token.
Signing requests
Next, sign the request with your authorization key(s). Make sure to correctly format your request before signing the request.
If the owner of your resource is a key quorum, make sure to sign the request with enough authorization keys to meet the authorization threshold.
Follow this guide for instructions on how to correctly sign your request:
Setting required headers
Once you have collected your authorization signature(s), set the following header on your request to the Privy API.
The authorization signature. If multiple signatures are required, include them as a comma-delimited string.
If you are using Privy’s SDKs, the appropriate authorization signature header is added automatically to your requests.