Derive Key

Derives a deterministic output from a Diffie-Hellman (DH) key using a domain separation tag and a seed value. The derivation process is deterministic. The same DH key and seed always produce the same derived output.

This endpoint supports threshold Diffie-Hellman keys created using the GLOW20 protocol. It uses hash‑to‑curve as defined in RFC 9380 and the ciphersuite secp256k1_XMD:SHA-256_SSWU_RO_.The seed does not need to be secret. Without access to the DH key, it is not possible to perform the derivation even if the seed is known. Likewise, if an attacker knows both the seed and the derived output, it is still not possible to derive the output for a different seed unless they have access to the DH key.This endpoint accepts only Diffie-Hellman keys. Signature schemes such as ECDSA or EdDSA are not supported. To use this endpoint, create a DH key using the Create Key endpoint with scheme=DH and curve=secp256k1.

HTTP request
POST /keys/{keyId}/derive
Authorization requirements
Header Type Required Description
Authorization string Yes Bearer token used to authenticate the request. See Authentication flows for instructions on generating this token.
X-DFNS-USERACTION string Yes User action signature used to authorize change-inducing requests. See User Action Signing flows for instructions on generating this signature.
Path parameter
Parameter Type Required Description
keyId string Yes ID of the key to delete. Minimum length: 1.
Request body
curl --request POST \
  --url https://api.digitalassets.ibm.com/keys/{keyId}/derive \
  --header 'Authorization: Bearer <token>' \
  --header 'Content-Type: application/json' \
  --header 'X-DFNS-USERACTION: <api-key>' \
  --data '
{
  "domain": "<string>",
  "seed": "<string>"
}
'
Response
200: Success

Example response:

{
  "output": "<string>"
}