Create a delegated signing key
Delegate Spark token-transaction signing authority for a card funding source backed by an Embedded Wallet internal account to a Grid-custodied P-256 API key. Grid uses the requested card and internal account to identify the wallet funding source, generates the keypair server-side, creates an isolated signer identity holding the public key, then policies granting that identity signing and self-revocation authority. The private key is custodied by Grid and never returned. Both activities must be authorized by the wallet owner, so creation is a three-leg signed-retry flow:
-
Call
POST /auth/delegated-keyswith no signature headers. Grid generates the delegated keypair and the response is202with apayloadToSign,requestId, andexpiresAt. -
Use the session API keypair of a verified credential on the requested Embedded Wallet internal account to build an API-key stamp over
payloadToSign, then retry the same request with that full stamp as theGrid-Wallet-Signatureheader and therequestIdechoed back as theRequest-Idheader. The response is a second202with a newpayloadToSign,requestId, andexpiresAt. -
Stamp the new
payloadToSignwith the same session keypair and retry once more with the newRequest-Id. The signed retry returns201with the createdDelegatedKeyinACTIVEstatus.
The same request body must be sent on all three legs. A flow abandoned after the second leg leaves the key in PENDING status: the signer identity exists but holds no policies, so it cannot sign or revoke itself. Abandoned PENDING keys do not block creating another delegated key. After activation, Grid uses the custodied key to authorize signing for the card’s Embedded Wallet funding account in place of a session keypair; the platform never handles the key material.
Each card funding source may have at most one ACTIVE delegated key for its Embedded Wallet funding account; revoke the existing active key before creating a new one. A delegated key authorizes raw-payload signing for the wallet and cannot be scoped to amounts or recipients by the public API. Revoke it with DELETE /auth/delegated-keys/{id} when no longer needed.
Authorizations
API token authentication using format <api token id>:<api client secret>
Headers
Full API-key stamp built over the prior payloadToSign with the session API keypair of a verified credential on the same internal account. Required on the signed retries; ignored on the initial call.
The requestId returned in the prior 202 response, echoed back exactly on the signed retry so the server can correlate it with the issued challenge. Required on the signed retries; must be paired with Grid-Wallet-Signature.
Body
The id of the card whose Embedded Wallet funding account will use this delegated signing key.
"Card:019542f5-b3e7-1d02-0000-000000000010"
The id of the Embedded Wallet internal account funding the card. Grid uses the (cardId, internalAccountId) pair to find the active card funding-source binding.
"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"
Human-readable label for the delegated key.
1 - 256"Card payments key"
Response
Delegated key created and policy granted. The key is ACTIVE and Grid may use it to stamp card-payment quote executions for this card funding source's Embedded Wallet funding account.
A delegated signing key for a card funding source backed by an Embedded Wallet internal account. Returned from POST /auth/delegated-keys (on activation), GET /auth/delegated-keys (list), and GET /auth/delegated-keys/{id}. The keypair is generated and custodied by Grid; the private key is never returned. While ACTIVE, Grid may use the key to authorize Spark token-transaction signing for the card funding source's Embedded Wallet funding account in place of a session keypair. publicKey is informational metadata identifying the credential.
Grid-issued DelegatedKey:<uuid> identifier.
"DelegatedKey:019542f5-b3e7-1d02-0000-000000000021"
The card this key is delegated for.
"Card:019542f5-b3e7-1d02-0000-000000000010"
The card funding source this key is delegated for.
"CardFundingSource:019542f5-b3e7-1d02-0000-000000000011"
The Embedded Wallet internal account this key is delegated for, derived from the card funding source.
"InternalAccount:019542f5-b3e7-1d02-0000-000000000002"
Compressed P-256 public key (hex) of the delegated API keypair.
"02a1b2c3d4e5f60718293a4b5c6d7e8f90a1b2c3d4e5f60718293a4b5c6d7e8f90"
Human-readable label for the delegated key.
"Settlement service key"
Status of a delegated signing key.
PENDING: The delegated user exists but the policy-creation leg never completed. The key cannot sign.ACTIVE: The policy is granted and the key may stamp quote executions.REVOKED: The delegated user has been deleted and the key can no longer sign.
PENDING, ACTIVE, REVOKED "ACTIVE"
When the delegated key was created.
"2026-04-08T15:30:01Z"
When the delegated key was last updated.
"2026-04-08T15:30:42Z"