Authentication
How to authenticate with the Zodia Custody API
Key Pairs Required
Two sets of RSA/ECC key pairs are needed before making any API calls.
1. Company Key Pair (RSA)
Used to authenticate all API requests. Generated once per company.
company_pri_key— private key (never share)company_pub_key— share with Zodia at customerservice@zodia.io
Keys must be RSA, base64-encoded, minimum 2048 bits.
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import rsa
import os
def generate_rsa_keypair(company):
rsa_private_key = rsa.generate_private_key(
public_exponent=65537, key_size=2048, backend=default_backend()
)
private_key_pem = rsa_private_key.private_bytes(
serialization.Encoding.PEM,
serialization.PrivateFormat.PKCS8,
serialization.NoEncryption()
)
with open(os.path.join("keys", company + ".private.pem"), "wb") as f:
f.write(private_key_pem)
public_key_pem = rsa_private_key.public_key().public_bytes(
serialization.Encoding.PEM,
serialization.PublicFormat.SubjectPublicKeyInfo
)
with open(os.path.join("keys", company + ".public.pem"), "wb") as f:
f.write(public_key_pem)
generate_rsa_keypair("ZTEST")2. User Key Pair (ECC)
Each API user (maker and checker) needs an Elliptic Curve key pair using SECP256R1.
openssl ecparam -name prime256v1 -genkey -noout -out ./private-key.pem
openssl ec -in ./private-key.pem -pubout -out ./public-key.pemShare with Zodia: the user's email, ECC public key, and assigned roles (Viewer, Maker, Checker).
Onboarding Checklist
- Generate company RSA key pair
- Send
company_pub_keyto customerservice@zodia.io - Generate ECC key pairs for at least one maker and one checker user
- Send user emails, public keys, and roles to customerservice@zodia.io