Skip to main content
POST
/
auth
/
delegated-keys
Create a delegated signing key
curl --request POST \
  --url https://api.lightspark.com/grid/2025-10-13/auth/delegated-keys \
  --header 'Authorization: Basic <encoded-value>' \
  --header 'Content-Type: application/json' \
  --data '
{
  "cardId": "Card:019542f5-b3e7-1d02-0000-000000000010",
  "internalAccountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
  "nickname": "Card payments key"
}
'
{
  "id": "DelegatedKey:019542f5-b3e7-1d02-0000-000000000021",
  "cardId": "Card:019542f5-b3e7-1d02-0000-000000000010",
  "fundingSourceId": "CardFundingSource:019542f5-b3e7-1d02-0000-000000000011",
  "accountId": "InternalAccount:019542f5-b3e7-1d02-0000-000000000002",
  "publicKey": "02a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90",
  "nickname": "Card payments key",
  "status": "ACTIVE",
  "createdAt": "2026-04-08T15:30:01Z",
  "updatedAt": "2026-04-08T15:30:42Z"
}

Authorizations

Authorization
string
header
required

API token authentication using format <api token id>:<api client secret>

Headers

Grid-Wallet-Signature
string

Full API-key stamp built over the prior payloadToSign with the session API keypair of a verified credential on the same internal account. Required on the signed retries; ignored on the initial call.

Request-Id
string

The requestId returned in the prior 202 response, echoed back exactly on the signed retry so the server can correlate it with the issued challenge. Required on the signed retries; must be paired with Grid-Wallet-Signature.

Body

application/json
cardId
string
required

The id of the card whose Embedded Wallet funding account will use this delegated signing key.

Example:

"Card:019542f5-b3e7-1d02-0000-000000000010"

internalAccountId
string
required

The id of the Embedded Wallet internal account funding the card. Grid uses the (cardId, internalAccountId) pair to find the active card funding-source binding.

Example:

"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"

nickname
string
required

Human-readable label for the delegated key.

Required string length: 1 - 256
Example:

"Card payments key"

Response

Delegated key created and policy granted. The key is ACTIVE and Grid may use it to stamp card-payment quote executions for this card funding source's Embedded Wallet funding account.

A delegated signing key for a card funding source backed by an Embedded Wallet internal account. Returned from POST /auth/delegated-keys (on activation), GET /auth/delegated-keys (list), and GET /auth/delegated-keys/{id}. The keypair is generated and custodied by Grid; the private key is never returned. While ACTIVE, Grid may use the key to authorize Spark token-transaction signing for the card funding source's Embedded Wallet funding account in place of a session keypair. publicKey is informational metadata identifying the credential.

id
string
required

Grid-issued DelegatedKey:<uuid> identifier.

Example:

"DelegatedKey:019542f5-b3e7-1d02-0000-000000000021"

cardId
string
required

The card this key is delegated for.

Example:

"Card:019542f5-b3e7-1d02-0000-000000000010"

fundingSourceId
string
required

The card funding source this key is delegated for.

Example:

"CardFundingSource:019542f5-b3e7-1d02-0000-000000000011"

accountId
string
required

The Embedded Wallet internal account this key is delegated for, derived from the card funding source.

Example:

"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"

publicKey
string
required

Compressed P-256 public key (hex) of the delegated API keypair.

Example:

"02a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90"

nickname
string
required

Human-readable label for the delegated key.

Example:

"Settlement service key"

status
enum<string>
required

Status of a delegated signing key.

  • PENDING: The delegated user exists but the policy-creation leg never completed. The key cannot sign.
  • ACTIVE: The policy is granted and the key may stamp quote executions.
  • REVOKED: The delegated user has been deleted and the key can no longer sign.
Available options:
PENDING,
ACTIVE,
REVOKED
Example:

"ACTIVE"

createdAt
string<date-time>
required

When the delegated key was created.

Example:

"2026-04-08T15:30:01Z"

updatedAt
string<date-time>
required

When the delegated key was last updated.

Example:

"2026-04-08T15:30:42Z"