Derive Key
Derives a deterministic output from a Diffie-Hellman (DH) key using a domain separation tag and a seed value. The derivation process is deterministic. The same DH key and seed always produce the same derived output.
This endpoint supports threshold Diffie-Hellman keys created using the GLOW20 protocol. It uses hash‑to‑curve as defined in RFC 9380 and the ciphersuite secp256k1_XMD:SHA-256_SSWU_RO_.The seed does not need to be secret. Without access to the DH key, it is not possible to perform the derivation even if the seed is known. Likewise, if an attacker knows both the seed and the derived output, it is still not possible to derive the output for a different seed unless they have access to the DH key.This endpoint accepts only Diffie-Hellman keys. Signature schemes such as ECDSA or EdDSA are not supported. To use this endpoint, create a DH key using the Create Key endpoint with scheme=DH and curve=secp256k1.
- HTTP request
- POST /keys/{keyId}/derive
- Authorization requirements
-
Header Type Required Description Authorizationstring Yes Bearer token used to authenticate the request. See Authentication flows for instructions on generating this token. X-DFNS-USERACTIONstring Yes User action signature used to authorize change-inducing requests. See User Action Signing flows for instructions on generating this signature. - Path parameter
-
Parameter Type Required Description keyId string Yes ID of the key to delete. Minimum length: 1. - Request body
-
curl --request POST \ --url https://api.digitalassets.ibm.com/keys/{keyId}/derive \ --header 'Authorization: Bearer <token>' \ --header 'Content-Type: application/json' \ --header 'X-DFNS-USERACTION: <api-key>' \ --data ' { "domain": "<string>", "seed": "<string>" } ' - Response
- 200: Success
Example response:
{ "output": "<string>" }