Skip to main content
Ask DFlow to cryptographically sign its API responses so you can confirm a response came from DFlow and was not altered in transit. Signatures follow RFC 9421 (HTTP Message Signatures) and use ed25519.
Signing applies only to REST requests, not WebSocket connections.

​
Request a signed response

Add the x-sign-request header to a request: 
x-sign-request: true
DFlow signs the response and returns the signature in standard response headers. You can also send an x-request-id header with any string value. It is included in the signed content and echoed back in the response, so you can tie a response to your request and guard against replay. If you omit it, DFlow generates one. 
x-sign-request: true
x-request-id: 0f8c2b1a-...    # optional
Try it against the developer endpoint (no API key required) and read the response headers: 
curl -sS -D - -o /dev/null \
  -H "x-sign-request: true" \
  "https://dev-quote-api.dflow.net/order?inputMint=So11111111111111111111111111111111111111112&outputMint=EPjFWdd5AufqSSqeM2qN1xzybapC8G4wEGGkZwyTDt1v&amount=100000000"
-D - prints the response headers and -o /dev/null discards the body, so you see signature, signature-input, and content-digest.

​
Response headers

A signed response includes:
HeaderDescription
signature-inputThe signed components and metadata: keyid, algorithm, and created timestamp
signatureThe signature, base64-encoded
content-digestSHA-256 digest of the response body
x-request-idYour x-request-id, or one DFlow generated
These headers are exposed via CORS (access-control-expose-headers), so they are readable from the browser. Example: 
signature-input: sig1=("@status" "content-type" "content-digest" "x-request-id";req);created=1781240303;keyid="EZKxYr7bbXHaKAGw2MEpVUU9He3hwXGejSpCsdsZCmiF";alg="ed25519"
signature: sig1=:DeW+BqtOUUtgb4NKx9mV9MrhVuOgzSO6GfbRWWcbFuqiMFjVJrSVOSw/ntI7GO0JNvGUpsAxUxiGX/USFUWlBQ==:
content-digest: sha-256=:98r7y7hVcmXvMYQqkLeUWtWuLDH5nVWGyRpzSRwKhIc=:
The signature covers the response @status, content-type, content-digest, and your x-request-id.

​
Public key

DFlow’s base58-encoded public key, carried as the keyid in signature-input: 
EZKxYr7bbXHaKAGw2MEpVUU9He3hwXGejSpCsdsZCmiF

​
Verify a response

Verify the signature against the public key above using an RFC 9421 library, which handles rebuilding the signature base from the signed components and checking the content-digest.