Custody Service API

MPC-based key management and signing service with 2-of-3 threshold signatures, TEE attestation, and multi-approval governance for secure transaction signing.

Endpoints

Method	Endpoint	Description
`POST`	`/keys`	Generate new cryptographic key
`GET`	`/keys`	List all keys for tenant
`GET`	`/keys/:key_id`	Get key by ID
`DELETE`	`/keys/:key_id`	Revoke key
`POST`	`/sign`	Sign message (SHA256)
`POST`	`/sign-typed-data`	Sign EIP-712 typed data
`POST`	`/sign-transaction`	Sign blockchain transaction
`POST`	`/approvals`	Create approval request
`GET`	`/approvals`	List pending approvals
`GET`	`/approvals/:request_id`	Get approval status
`POST`	`/approvals/:request_id/approve`	Add approval to request
`POST`	`/approvals/:request_id/reject`	Reject request
`GET`	`/attestation`	Get TEE attestation status

Generate Key

POST /keys
X-Tenant-Id: your-tenant-id
Content-Type: application/json

{
  "name": "Treasury Signing Key",
  "algorithm": "ecdsa-secp256k1",
  "keyType": "mpc"
}

Request Parameters

Field	Type	Required	Description
`name`	string	Yes	Key display name
`algorithm`	string	No	`ecdsa-secp256k1` or `ed25519`
`keyType`	string	No	`mpc` or `hsm`

Response

{
  "data": {
    "id": "key_abc123",
    "name": "Treasury Signing Key",
    "publicKey": "0x04a1b2c3d4e5f6...",
    "algorithm": "ecdsa-secp256k1",
    "keyType": "mpc",
    "createdAt": "2024-01-15T10:30:00Z"
  }
}

Sign Message

POST /sign
X-Tenant-Id: your-tenant-id
Content-Type: application/json

{
  "keyId": "key_abc123",
  "message": "0x48656c6c6f20576f726c64",
  "encoding": "hex"
}

Response

{
  "data": {
    "signature": "0x...",
    "publicKey": "0x04a1b2c3d4e5f6...",
    "algorithm": "ecdsa-secp256k1",
    "messageHash": "0x..."
  }
}

Sign EIP-712 Typed Data

POST /sign-typed-data
X-Tenant-Id: your-tenant-id
Content-Type: application/json

{
  "keyId": "key_abc123",
  "domain": {
    "name": "Tenzro",
    "version": "1",
    "chainId": 8453
  },
  "types": {
    "Transfer": [
      { "name": "to", "type": "address" },
      { "name": "amount", "type": "uint256" }
    ]
  },
  "primaryType": "Transfer",
  "message": {
    "to": "0x742d35Cc6634C0532925a3b844Bc9e7595f3...",
    "amount": "1000000000"
  }
}

Sign Transaction

POST /sign-transaction
X-Tenant-Id: your-tenant-id
Content-Type: application/json

{
  "keyId": "key_abc123",
  "transaction": {
    "to": "0x742d35Cc6634C0532925a3b844Bc9e7595f3...",
    "value": "0",
    "data": "0xa9059cbb...",
    "chainId": 8453,
    "nonce": 42,
    "gasLimit": "100000",
    "maxFeePerGas": "50000000000",
    "maxPriorityFeePerGas": "2000000000"
  }
}

Response

{
  "data": {
    "signedTransaction": "0x02f8...",
    "transactionHash": "0x...",
    "v": 0,
    "r": "0x...",
    "s": "0x..."
  }
}

Create Approval Request

For high-value operations, create an approval request requiring multiple signers:

POST /approvals
X-Tenant-Id: your-tenant-id
Content-Type: application/json

{
  "keyId": "key_abc123",
  "operationType": "sign_transaction",
  "payload": {
    "transaction": { ... }
  },
  "requiredApprovals": 2,
  "expiresAt": "2024-01-15T12:00:00Z"
}

Response

{
  "data": {
    "id": "approval_xyz789",
    "status": "pending",
    "keyId": "key_abc123",
    "operationType": "sign_transaction",
    "requiredApprovals": 2,
    "currentApprovals": 0,
    "approvers": [],
    "expiresAt": "2024-01-15T12:00:00Z",
    "createdAt": "2024-01-15T10:30:00Z"
  }
}

Add Approval

POST /approvals/approval_xyz789/approve
X-Tenant-Id: your-tenant-id
X-User-Id: user_123
Content-Type: application/json

{
  "signature": "0x..."
}

Get TEE Attestation

GET /attestation
X-Tenant-Id: your-tenant-id

Response

{
  "data": {
    "enclave": "intel-tdx",
    "status": "verified",
    "measurements": {
      "mrtd": "a1b2c3d4...",
      "rtmr0": "e5f6g7h8...",
      "rtmr1": "i9j0k1l2..."
    },
    "attestedAt": "2024-01-15T10:00:00Z",
    "validUntil": "2024-01-15T22:00:00Z"
  }
}

MPC Key Architecture

Keys use a 2-of-3 threshold MPC scheme with shares distributed across:

Share	Location	Purpose
TEE Share	Custody Service	Hardware-isolated server share
Client Share	Passkey/Device PRF	User-controlled biometric share
HSM Share	Cloud HSM	Recovery backup share

Approval Status

Status	Description
`pending`	Awaiting required approvals
`approved`	Threshold met, operation executing
`executed`	Operation completed successfully
`rejected`	Request was rejected
`expired`	Request expired before approval

Supported Algorithms

Algorithm	Curve	Use Case
`ecdsa-secp256k1`	secp256k1	Ethereum, Bitcoin, EVM chains
`ed25519`	Curve25519	Solana, Canton

Error Codes

Code	Description
`KEY_NOT_FOUND`	Key does not exist
`APPROVAL_REQUIRED`	Operation requires multi-approval
`APPROVAL_EXPIRED`	Approval request has expired
`ALREADY_APPROVED`	User has already approved
`TEE_UNAVAILABLE`	TEE enclave not available