> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getpara.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Get Enclave Public Key

> Retrieve the enclave's P-256 public key in PEM format. Non-SDK callers need this
key to implement ECIES encryption for the `migrate-share` endpoint.

SDK users do not need to call this endpoint directly — the `migrateWalletShare()`
method fetches and caches the key automatically.




## OpenAPI

````yaml /openapi.yaml get /v1/enclave/public-key
openapi: 3.0.3
info:
  title: Para REST API
  version: '1.0'
  description: Server-to-server wallet creation and signing over HTTP
servers:
  - url: https://api.beta.getpara.com
    description: Beta
  - url: https://api.getpara.com
    description: Production
security:
  - ApiKeyAuth: []
paths:
  /v1/enclave/public-key:
    get:
      tags:
        - Enclave
      summary: Get Enclave Public Key
      description: >
        Retrieve the enclave's P-256 public key in PEM format. Non-SDK callers
        need this

        key to implement ECIES encryption for the `migrate-share` endpoint.


        SDK users do not need to call this endpoint directly — the
        `migrateWalletShare()`

        method fetches and caches the key automatically.
      operationId: getEnclavePublicKey
      parameters:
        - $ref: '#/components/parameters/RequestId'
      responses:
        '200':
          description: Enclave public key
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/EnclavePublicKeyResponse'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/ServerError'
components:
  parameters:
    RequestId:
      name: X-Request-Id
      in: header
      required: false
      description: UUID for request tracing. Para returns one if omitted.
      schema:
        type: string
        format: uuid
  schemas:
    EnclavePublicKeyResponse:
      type: object
      required:
        - publicKey
        - keyFingerprint
        - generatedAt
      properties:
        publicKey:
          type: string
          description: PEM-formatted P-256 public key for ECIES encryption
          example: |-
            -----BEGIN PUBLIC KEY-----
            MFkwEwYH...
            -----END PUBLIC KEY-----
        keyFingerprint:
          type: string
          description: SHA-256 fingerprint of the public key for verification
          example: SHA256:abc123...
        generatedAt:
          type: string
          format: date-time
          description: Timestamp when the key was generated
          example: '2025-01-15T00:00:00.000Z'
    Error:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          description: Machine-readable error code for programmatic handling
          example: INVALID_REQUEST
        message:
          type: string
          description: Human-readable error message
        transactionId:
          type: string
          format: uuid
          description: >-
            Persisted transaction record id. Present only when a broadcast
            request failed after a history row was created.
        failureStage:
          type: string
          enum:
            - mpc_sign
            - signature_apply
            - signer_verify
            - broadcast
            - monitor_timeout
          description: >-
            Which stage of the broadcast lifecycle failed. Present on persisted
            broadcast failures.
        failureCode:
          type: string
          description: >-
            Machine-readable failure reason from the underlying broadcast helper
            (e.g. `INSUFFICIENT_NATIVE_BALANCE`, `EXECUTION_FAILED`). Present on
            broadcast-stage failures.
        signedTransaction:
          type: string
          description: >-
            Signed transaction bytes. Present on broadcast failures that happen
            after signing completed.
      additionalProperties: true
      description: >
        All error responses include `code` and `message` fields. Some errors
        include extra fields (e.g. `walletId` on 409 Conflict).

        Broadcast failures that occur after a persisted transaction row is
        created include `transactionId`,

        `failureStage`, and (on broadcast-stage failures) `failureCode`, and
        also set the `x-transaction-id`

        response header. If signing completed before the failure,
        `signedTransaction` is included so callers

        can inspect or retry the already-signed bytes.


        Common error codes: `INVALID_REQUEST`, `UNAUTHORIZED`, `FORBIDDEN`,
        `NOT_FOUND`, `CONFLICT`, `WALLET_ALREADY_EXISTS`,
        `WALLET_ALREADY_CLAIMED`, `RATE_LIMITED`, `INTERNAL_ERROR`.
  responses:
    Unauthorized:
      description: API key not provided
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: UNAUTHORIZED
            message: secret api key not provided
    Forbidden:
      description: Invalid API key
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: FORBIDDEN
            message: invalid secret api key
    TooManyRequests:
      description: Rate limit exceeded
      headers:
        Retry-After:
          schema:
            type: integer
          description: Seconds until the rate limit window resets
          example: 60
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: RATE_LIMITED
            message: Rate limit exceeded, try again shortly.
    ServerError:
      description: Internal server error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: INTERNAL_ERROR
            message: Internal Server Error
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: Your partner secret key (server-side only)
      x-default: sk_your_secret_key_here

````