Register Key - Truthlocks Documentation

curl --request POST \
  --url https://api.truthlocks.com/v1/issuers/{id}/keys \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "kid": "es256-key-1",
  "algorithm": "ES256",
  "public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
}
'

{
  "kid": "<string>",
  "issuer_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "public_key": "<string>",
  "not_before": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}

POST

issuers

{id}

keys

curl --request POST \
  --url https://api.truthlocks.com/v1/issuers/{id}/keys \
  --header 'Content-Type: application/json' \
  --header 'X-API-Key: <api-key>' \
  --data '
{
  "kid": "es256-key-1",
  "algorithm": "ES256",
  "public_key": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE..."
}
'

{
  "kid": "<string>",
  "issuer_id": "3c90c3cc-0d44-4b50-8888-8dd25736052a",
  "public_key": "<string>",
  "not_before": "2023-11-07T05:31:56Z",
  "expires_at": "2023-11-07T05:31:56Z"
}

Registers a new cryptographic signing key for an issuer. Keys start in ACTIVE status and can be used immediately for signing attestations.

Supported Algorithms

Algorithm	Type	Use Case
Ed25519	EdDSA	Default. Fastest signatures, smallest keys. Recommended for most use cases.
ES256	ECDSA P-256	Widely supported. Compatible with WebCrypto, mobile SDKs.
ES384	ECDSA P-384	Government/CNSA Suite. Required for some procurement contracts.
ES512	ECDSA P-521	Maximum ECDSA security. Larger signatures.
RS256	RSA PKCS#1v1.5	Legacy compatibility. Interop with older PKI systems.
RS384	RSA SHA-384	Higher security RSA with SHA-384.
RS512	RSA SHA-512	Higher security RSA with SHA-512.
PS256	RSA-PSS	Modern RSA. NIST recommended replacement for PKCS#1v1.5.
PS384	RSA-PSS SHA-384	Higher security RSA-PSS.
PS512	RSA-PSS SHA-512	Maximum RSA security.

Ed25519 is the default and recommended for new projects. Use ES384 for government/regulated industries. Use PS256 over RS256 for new RSA deployments. RS256 is available for backward compatibility only.

Parameters

issuer_id

string

required

The UUID of the issuer to register the key for

kid

string

required

Unique key identifier (e.g., “ed-key-1”)

algorithm

string

required

Signing algorithm. One of: Ed25519, ES256, ES384, ES512, RS256, RS384, RS512, PS256, PS384, PS512.

public_key

string

required

Base64-encoded public key

Responses

Authorizations

X-API-Key

string

header

required

API key for machine-to-machine authentication

Path Parameters

string<uuid>

required

Body

application/json

kid

string

required

algorithm

enum<string>

required

Signing algorithm for key generation

Available options:

Ed25519,

ES256,

ES384,

ES512,

RS256,

RS384,

RS512,

PS256,

PS384,

PS512

public_key

string

required

Base64-encoded public key

expires_at

string<date-time>

Response

Key registered

kid

string

Key identifier

issuer_id

string<uuid>

algorithm

enum<string>

Signing algorithm for key generation

Available options:

Ed25519,

ES256,

ES384,

ES512,

RS256,

RS384,

RS512,

PS256,

PS384,

PS512

public_key

string

Base64-encoded public key

status

enum<string>

Available options:

ACTIVE,

DISABLED,

EXPIRED

not_before

string<date-time>

expires_at

string<date-time>

Get Issuer List Issuer Events

​Supported Algorithms

​Parameters

​Responses

Authorizations

Path Parameters

Body

Response

Supported Algorithms

Parameters

Responses