Create KMS Key

curl --request POST \
  --url https://api.example.com/v1/keys/generate \
  --header 'Content-Type: application/json' \
  --data '
{
  "algorithm": "<string>",
  "chain": "<string>",
  "custody": "<string>"
}
'

POST

keys

generate

Create KMS Key

curl --request POST \
  --url https://api.example.com/v1/keys/generate \
  --header 'Content-Type: application/json' \
  --data '
{
  "algorithm": "<string>",
  "chain": "<string>",
  "custody": "<string>"
}
'

Request

Set custody to "managed" to create a KMS-backed key.

algorithm

string

required

PQC algorithm. One of: ml-dsa-44, ml-dsa-65, ml-dsa-87

chain

string

required

Target blockchain. e.g., ethereum, base, arbitrum

custody

string

required

Set to "managed" for KMS. Default: "byok"

Response

{
  "key_id": "arn:aws:kms:us-east-1:123456789:key/abc-def-123",
  "public_key": "3082...",
  "algorithm": "ml-dsa-65",
  "nist_level": 3,
  "chain": "ethereum",
  "custody": "managed"
}

Errors

Code	Description
403	Free/Builder plan — KMS requires Pro+
400	Unsupported algorithm for KMS (e.g., slh-dsa)
503	AWS KMS unavailable

Private keys are stored inside AWS KMS HSM and cannot be exported. The public_key in the response is the only key material you receive.

Scan Wallet KMS Sign

API Reference

KMS Managed (v1.5)

Create KMS Key

Request

Response

Errors

API Reference

KMS Managed (v1.5)

​Request

​Response

​Errors

Request

Response

Errors