> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getpara.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Sign Raw

> Sign raw bytes with a wallet's private key share via MPC.

The input `data` is hex-encoded bytes. The MPC protocol signs these bytes
directly — no hashing or prefix is applied, and no chain-specific logic
is involved. This makes `sign-raw` suitable for **any chain** that uses
the same curve as the wallet's key scheme:

- **DKLS/CGGMP wallets** (EVM, COSMOS) use secp256k1 — compatible with
  Bitcoin and any other secp256k1-based chain.
- **ED25519 wallets** (SOLANA, STELLAR) use Ed25519 — compatible with any
  Ed25519-based chain.

To use Para wallets with an unsupported chain, create a wallet with the
matching scheme (e.g., an EVM wallet for secp256k1), pre-hash your
transaction on the client side, then call `sign-raw` with the hash. Derive
the chain-specific address from the wallet's `publicKey`.

Use `sign-transaction` or `sign-message` instead if you want Para to
handle chain-specific serialization for EVM, Solana, or Stellar.

The response `signature` is a hex string (no `0x` prefix). For DKLS/CGGMP
schemes this is 65 bytes: `r (32) + s (32) + v (1)`.




## OpenAPI

````yaml /openapi.yaml post /v1/wallets/{walletId}/sign-raw
openapi: 3.0.3
info:
  title: Para REST API
  version: '1.0'
  description: Server-to-server wallet creation and signing over HTTP
servers:
  - url: https://api.beta.getpara.com
    description: Beta
  - url: https://api.getpara.com
    description: Production
security:
  - ApiKeyAuth: []
paths:
  /v1/wallets/{walletId}/sign-raw:
    post:
      tags:
        - Signing
      summary: Sign Raw
      description: >
        Sign raw bytes with a wallet's private key share via MPC.


        The input `data` is hex-encoded bytes. The MPC protocol signs these
        bytes

        directly — no hashing or prefix is applied, and no chain-specific logic

        is involved. This makes `sign-raw` suitable for **any chain** that uses

        the same curve as the wallet's key scheme:


        - **DKLS/CGGMP wallets** (EVM, COSMOS) use secp256k1 — compatible with
          Bitcoin and any other secp256k1-based chain.
        - **ED25519 wallets** (SOLANA, STELLAR) use Ed25519 — compatible with
        any
          Ed25519-based chain.

        To use Para wallets with an unsupported chain, create a wallet with the

        matching scheme (e.g., an EVM wallet for secp256k1), pre-hash your

        transaction on the client side, then call `sign-raw` with the hash.
        Derive

        the chain-specific address from the wallet's `publicKey`.


        Use `sign-transaction` or `sign-message` instead if you want Para to

        handle chain-specific serialization for EVM, Solana, or Stellar.


        The response `signature` is a hex string (no `0x` prefix). For
        DKLS/CGGMP

        schemes this is 65 bytes: `r (32) + s (32) + v (1)`.
      operationId: signRaw
      parameters:
        - $ref: '#/components/parameters/WalletId'
        - $ref: '#/components/parameters/RequestId'
        - $ref: '#/components/parameters/IdempotencyKey'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SignRawRequest'
      responses:
        '200':
          description: Signature
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/SignRawResponse'
        '400':
          $ref: '#/components/responses/BadRequest'
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          description: |
            Forbidden. Either the API key is invalid (`FORBIDDEN`) or a policy
            denied the operation (`POLICY_DENIED`).
          content:
            application/json:
              schema:
                oneOf:
                  - $ref: '#/components/schemas/Error'
                  - $ref: '#/components/schemas/PolicyDeniedError'
              examples:
                forbidden:
                  summary: Invalid API key
                  value:
                    code: FORBIDDEN
                    message: invalid secret api key
                policyDenied:
                  summary: Denied by policy
                  value:
                    code: POLICY_DENIED
                    message: Transaction denied by policy
                    deniedBy:
                      scopeName: signing
                      permissionType: SIGN_MESSAGE
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          $ref: '#/components/responses/IdempotencyConflict'
        '422':
          $ref: '#/components/responses/Unprocessable'
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/ServerError'
components:
  parameters:
    WalletId:
      name: walletId
      in: path
      required: true
      description: Wallet ID
      schema:
        type: string
        example: 0a1b2c3d-4e5f-6789-abcd-ef0123456789
    RequestId:
      name: X-Request-Id
      in: header
      required: false
      description: UUID for request tracing. Para returns one if omitted.
      schema:
        type: string
        format: uuid
    IdempotencyKey:
      name: Idempotency-Key
      in: header
      required: false
      description: >
        Unique key for safe retries on POST endpoints. If a request with the
        same key

        is received within 24 hours, the original response is returned without
        re-executing.

        Recommended format: UUID v4. Max length 256 characters.

        Returns 422 if the same key is reused with a different request body.

        Returns 409 if a request with the same key is still being processed.
      schema:
        type: string
        maxLength: 256
  schemas:
    SignRawRequest:
      type: object
      required:
        - data
      properties:
        data:
          type: string
          description: Hex-encoded data to sign (optional `0x` prefix)
          example: '0x48656c6c6f20576f726c64'
        encoding:
          type: string
          enum:
            - hex
          default: hex
          description: Encoding of `data`. Currently only `hex` is supported.
        walletType:
          type: string
          enum:
            - EVM
            - SOLANA
            - COSMOS
            - STELLAR
          description: >-
            Expected wallet type. If provided and the wallet is a different
            type, the request is rejected.
    SignRawResponse:
      type: object
      required:
        - signature
      properties:
        signature:
          type: string
          description: >-
            Hex-encoded signature without `0x` prefix. For DKLS/CGGMP: 65 bytes
            (r + s + v).
          example: a1b2c3d4e5f6...
    Error:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          description: Machine-readable error code for programmatic handling
          example: INVALID_REQUEST
        message:
          type: string
          description: Human-readable error message
        transactionId:
          type: string
          format: uuid
          description: >-
            Persisted transaction record id. Present only when a broadcast
            request failed after a history row was created.
        failureStage:
          type: string
          enum:
            - mpc_sign
            - signature_apply
            - signer_verify
            - broadcast
            - monitor_timeout
          description: >-
            Which stage of the broadcast lifecycle failed. Present on persisted
            broadcast failures.
        failureCode:
          type: string
          description: >-
            Machine-readable failure reason from the underlying broadcast helper
            (e.g. `INSUFFICIENT_NATIVE_BALANCE`, `EXECUTION_FAILED`). Present on
            broadcast-stage failures.
        signedTransaction:
          type: string
          description: >-
            Signed transaction bytes. Present on broadcast failures that happen
            after signing completed.
      additionalProperties: true
      description: >
        All error responses include `code` and `message` fields. Some errors
        include extra fields (e.g. `walletId` on 409 Conflict).

        Broadcast failures that occur after a persisted transaction row is
        created include `transactionId`,

        `failureStage`, and (on broadcast-stage failures) `failureCode`, and
        also set the `x-transaction-id`

        response header. If signing completed before the failure,
        `signedTransaction` is included so callers

        can inspect or retry the already-signed bytes.


        Common error codes: `INVALID_REQUEST`, `UNAUTHORIZED`, `FORBIDDEN`,
        `NOT_FOUND`, `CONFLICT`, `WALLET_ALREADY_EXISTS`,
        `WALLET_ALREADY_CLAIMED`, `RATE_LIMITED`, `INTERNAL_ERROR`.
    PolicyDeniedError:
      type: object
      properties:
        code:
          type: string
          example: POLICY_DENIED
        message:
          type: string
          example: Transaction denied by policy
        deniedBy:
          type: object
          properties:
            scopeName:
              type: string
            permissionType:
              type: string
            condition:
              type: object
              properties:
                resource:
                  type: string
                comparator:
                  type: string
                reference: {}
  responses:
    BadRequest:
      description: Invalid request body
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: INVALID_REQUEST
            message: type must be one of EVM, SOLANA, COSMOS, STELLAR
    Unauthorized:
      description: API key not provided
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: UNAUTHORIZED
            message: secret api key not provided
    NotFound:
      description: Wallet not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: NOT_FOUND
            message: wallet not found
    IdempotencyConflict:
      description: A request with this idempotency key is currently being processed
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: CONFLICT
            message: A request with this idempotency key is currently being processed
    Unprocessable:
      description: Idempotency key reused with a different request body
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: UNPROCESSABLE
            message: >-
              Idempotency key has already been used with different request
              parameters
    TooManyRequests:
      description: Rate limit exceeded
      headers:
        Retry-After:
          schema:
            type: integer
          description: Seconds until the rate limit window resets
          example: 60
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: RATE_LIMITED
            message: Rate limit exceeded, try again shortly.
    ServerError:
      description: Internal server error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: INTERNAL_ERROR
            message: Internal Server Error
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: Your partner secret key (server-side only)
      x-default: sk_your_secret_key_here

````