> ## Documentation Index
> Fetch the complete documentation index at: https://docs.getpara.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Migrate SDK Pregen Wallet Share

> Migrate an SDK-pregenerated wallet to the REST API by persisting its user share
in Para's hardware-isolated enclave.

The request body must contain an `encryptedPayload` — the user share encrypted with
the enclave's P-256 public key using ECIES. The SDK's `migrateWalletShare()` method
handles encryption automatically. Non-SDK callers must implement ECIES-P256 encryption
using the key from `GET /v1/enclave/public-key`.

After migration the wallet's `sharesPersisted` flag becomes `true` and the wallet
can be used with all REST API signing endpoints (`sign-raw`, `sign-transaction`,
`sign-message`, `sign-typed-data`, `transfer`).

Migration is additive — the original SDK signing flow continues to work.




## OpenAPI

````yaml /openapi.yaml post /v1/wallets/{walletId}/migrate-share
openapi: 3.0.3
info:
  title: Para REST API
  version: '1.0'
  description: Server-to-server wallet creation and signing over HTTP
servers:
  - url: https://api.beta.getpara.com
    description: Beta
  - url: https://api.getpara.com
    description: Production
security:
  - ApiKeyAuth: []
paths:
  /v1/wallets/{walletId}/migrate-share:
    post:
      tags:
        - Wallets
      summary: Migrate SDK Pregen Wallet Share
      description: >
        Migrate an SDK-pregenerated wallet to the REST API by persisting its
        user share

        in Para's hardware-isolated enclave.


        The request body must contain an `encryptedPayload` — the user share
        encrypted with

        the enclave's P-256 public key using ECIES. The SDK's
        `migrateWalletShare()` method

        handles encryption automatically. Non-SDK callers must implement
        ECIES-P256 encryption

        using the key from `GET /v1/enclave/public-key`.


        After migration the wallet's `sharesPersisted` flag becomes `true` and
        the wallet

        can be used with all REST API signing endpoints (`sign-raw`,
        `sign-transaction`,

        `sign-message`, `sign-typed-data`, `transfer`).


        Migration is additive — the original SDK signing flow continues to work.
      operationId: migrateShare
      parameters:
        - $ref: '#/components/parameters/WalletId'
        - $ref: '#/components/parameters/RequestId'
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/MigrateShareRequest'
      responses:
        '200':
          description: Wallet migrated successfully
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Wallet'
        '400':
          description: Missing encryptedPayload in request body
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                code: INVALID_REQUEST
                message: encryptedPayload is required
        '401':
          $ref: '#/components/responses/Unauthorized'
        '403':
          $ref: '#/components/responses/Forbidden'
        '404':
          $ref: '#/components/responses/NotFound'
        '409':
          description: Wallet shares are already persisted
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Error'
              example:
                code: CONFLICT
                message: shares already persisted for this wallet
        '429':
          $ref: '#/components/responses/TooManyRequests'
        '500':
          $ref: '#/components/responses/ServerError'
components:
  parameters:
    WalletId:
      name: walletId
      in: path
      required: true
      description: Wallet ID
      schema:
        type: string
        example: 0a1b2c3d-4e5f-6789-abcd-ef0123456789
    RequestId:
      name: X-Request-Id
      in: header
      required: false
      description: UUID for request tracing. Para returns one if omitted.
      schema:
        type: string
        format: uuid
  schemas:
    MigrateShareRequest:
      type: object
      required:
        - encryptedPayload
      properties:
        encryptedPayload:
          type: string
          description: |
            JSON string containing the ECIES-encrypted user share. The SDK's
            `migrateWalletShare()` method produces this automatically. Non-SDK
            callers must encrypt the share with the enclave's P-256 public key
            (from `GET /v1/enclave/public-key`) using ECIES-P256-AES256-SHA256.
          example: >-
            {"encryptedData":"base64...","ephemeral":"base64...","algorithm":"ECIES-P256-AES256-SHA256"}
    Wallet:
      type: object
      required:
        - id
        - type
        - scheme
        - status
        - createdAt
      properties:
        id:
          type: string
          format: uuid
          description: Unique wallet identifier
          example: 0a1b2c3d-4e5f-6789-abcd-ef0123456789
        type:
          type: string
          enum:
            - EVM
            - SOLANA
            - COSMOS
            - STELLAR
          description: Blockchain network type
          example: EVM
        scheme:
          type: string
          enum:
            - DKLS
            - CGGMP
            - ED25519
          description: Signature scheme
          example: DKLS
        status:
          type: string
          enum:
            - creating
            - ready
          description: Wallet creation status
        address:
          type: string
          description: Wallet address. Present when status is ready, omitted otherwise.
          example: 0x742d35Cc6634C0532925a3b844Bc9e7595f...
        publicKey:
          type: string
          description: Public key. Present when status is ready, omitted otherwise.
        userIdentifier:
          type: string
          description: The user identifier associated with this wallet
          example: alice@example.com
        userIdentifierType:
          type: string
          enum:
            - EMAIL
            - PHONE
            - CUSTOM_ID
            - GUEST_ID
            - DISCORD
            - TWITTER
            - TELEGRAM
            - FARCASTER
          description: Type of user identifier
        createdAt:
          type: string
          format: date-time
          description: ISO 8601 timestamp
          example: '2024-01-15T09:30:00Z'
    Error:
      type: object
      required:
        - code
        - message
      properties:
        code:
          type: string
          description: Machine-readable error code for programmatic handling
          example: INVALID_REQUEST
        message:
          type: string
          description: Human-readable error message
        transactionId:
          type: string
          format: uuid
          description: >-
            Persisted transaction record id. Present only when a broadcast
            request failed after a history row was created.
        failureStage:
          type: string
          enum:
            - mpc_sign
            - signature_apply
            - signer_verify
            - broadcast
            - monitor_timeout
          description: >-
            Which stage of the broadcast lifecycle failed. Present on persisted
            broadcast failures.
        failureCode:
          type: string
          description: >-
            Machine-readable failure reason from the underlying broadcast helper
            (e.g. `INSUFFICIENT_NATIVE_BALANCE`, `EXECUTION_FAILED`). Present on
            broadcast-stage failures.
        signedTransaction:
          type: string
          description: >-
            Signed transaction bytes. Present on broadcast failures that happen
            after signing completed.
      additionalProperties: true
      description: >
        All error responses include `code` and `message` fields. Some errors
        include extra fields (e.g. `walletId` on 409 Conflict).

        Broadcast failures that occur after a persisted transaction row is
        created include `transactionId`,

        `failureStage`, and (on broadcast-stage failures) `failureCode`, and
        also set the `x-transaction-id`

        response header. If signing completed before the failure,
        `signedTransaction` is included so callers

        can inspect or retry the already-signed bytes.


        Common error codes: `INVALID_REQUEST`, `UNAUTHORIZED`, `FORBIDDEN`,
        `NOT_FOUND`, `CONFLICT`, `WALLET_ALREADY_EXISTS`,
        `WALLET_ALREADY_CLAIMED`, `RATE_LIMITED`, `INTERNAL_ERROR`.
  responses:
    Unauthorized:
      description: API key not provided
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: UNAUTHORIZED
            message: secret api key not provided
    Forbidden:
      description: Invalid API key
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: FORBIDDEN
            message: invalid secret api key
    NotFound:
      description: Wallet not found
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: NOT_FOUND
            message: wallet not found
    TooManyRequests:
      description: Rate limit exceeded
      headers:
        Retry-After:
          schema:
            type: integer
          description: Seconds until the rate limit window resets
          example: 60
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: RATE_LIMITED
            message: Rate limit exceeded, try again shortly.
    ServerError:
      description: Internal server error
      content:
        application/json:
          schema:
            $ref: '#/components/schemas/Error'
          example:
            code: INTERNAL_ERROR
            message: Internal Server Error
  securitySchemes:
    ApiKeyAuth:
      type: apiKey
      in: header
      name: X-API-Key
      description: Your partner secret key (server-side only)
      x-default: sk_your_secret_key_here

````