Skip to main content
Para REST API authenticates your backend with X-API-Key. It does not authenticate end users, mint user JWTs, or run OTP, passkey, or OAuth flows for clients. Use this pattern when your app already has its own login system and you want your backend to create and sign with Para wallets on behalf of those users.
Want users to sign in through Para with your own identity provider (OIDC / SSO) instead? That’s Custom OIDC — a client-side login method, distinct from this server-side pattern.
Keep your Para API key on your server. Do not put it in a mobile app, web app, desktop app, or client-side config.
This is a partner-custodial signing pattern. Your backend decides when to ask Para to sign. The end user does not have a Para session in REST API v1.

When to use this

Walkthrough

1. Authenticate the user in your app

Use your existing auth system. Your backend should map the authenticated user to a stable internal ID, such as user_123. The client never talks to Para directly in this pattern.

2. Create a REST wallet for that user

Create the wallet from your backend after signup or when the user first needs a wallet. Use your internal user ID as a CUSTOM_ID.
create-wallet.sh
Store the returned id as the Para wallet ID for your user.

3. Look up the wallet by identifier

If you need to recover the mapping, query wallets by the same identifier.
lookup-wallet.sh

4. Sign from your backend

Your client asks your backend to perform an action. Your backend checks the user’s session and authorization, then calls Para. The requireUser and db calls below stand in for your app’s auth and storage.
server.ts
For transaction broadcasts, store the returned transactionId. Your backend can poll transaction history or receive REST transaction webhooks and expose the latest status to the client.

Claiming and ownership

REST-created wallets are pre-created wallets. They start project-controlled and can be claimed later by a Para user if your app supports a client-side claim flow. Before claim, REST signing endpoints work with the wallet ID and API key. After claim, REST signing endpoints reject the wallet because it is user-owned. At that point, use client SDK flows for user-owned wallet actions. If you created a wallet with CUSTOM_ID but later want the user to claim it with an email, phone, or OAuth identifier, update the unclaimed wallet first:
update-identifier.sh
The wallet.pregen_claimed webhook can help your backend reconcile ownership after claim.

Limits

  • REST API v1 has no end-user Para session, user JWT, or user-scoped REST token.
  • REST API v1 does not run OTP, passkey, OAuth, or Para-branded auth on the client.
  • REST API v1 does not provide a private-key export endpoint.
  • REST signing stops after the wallet is claimed by a user.
  • Client-side export and SDK share-management flows require the relevant Para SDK path.