# Supported signing key algorithms

For the signature verification, the Investment API supports two signing algorithms. The supported algorithm depends on your signature method:

- **Signed with Upvest signature proxy**: When using our signature proxy, you must only use ECDSA signatures using the `P-521` curve with `SHA-512` hashing.
- **Generating your own signatures**: If you generate and verify signatures on your side, then you can use either:
  - ECDSA signatures using the `P-521` curve with `SHA-512` hashing.
  - ED25519 signing algorithm using the `Curve25519` curve with `SHA-512`hashing.


### ECDSA

Use the ECDSA algorithm when using our signature proxy or when generating and verifying your own signatures.

The Upvest Investment API only accepts ECDSA signatures which use the `P-521` curve and `SHA-512` hashes, as described in [RFC6979](https://datatracker.ietf.org/doc/html/rfc6979).

Private key generation with passphrase protection, as supported by the [HTTP signature proxy](https://github.com/upvestco/httpsignature-proxy):


```sh
openssl ecparam -genkey -name secp521r1 -outform PEM | openssl ec -aes256 -inform PEM -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521.priv
```

Make sure to store the private key and the passphrase in a safe place.

Public key extraction:


```sh
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pub
```

The `upvest-investment-api-http-message-signing-key-ecdsa521.pub` file is the public key which you will submit to Upvest during the API credentials issuance process.

**Less secure** alternative:

Upvest recommends against it, but if you must, you *can* generate the private key without encrypting it. (Also, this is **not** supported by the [HTTP signature proxy](https://github.com/upvestco/httpsignature-proxy).)

Private key generation **without** passphrase protection:


```sh
openssl ecparam -genkey -name secp521r1 -outform PEM -out upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv
```

You can then encrypt it in a separate step after creation:


```sh
openssl ec -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ecdsa521.priv
```

Public key extraction:


```sh
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ecdsa521-unencrypted.priv > upvest-investment-api-http-message-signing-key-ecdsa521.pub
```

### ED25519

When using our signature proxy, you **must** use the ECDSA algorithm.

The ED25519 algorithm is **only** supported if you generate and verify your own signatures.

ED25519 signing algorithm uses the `Curve25519` curve and `SHA-512`
hashing [link](https://datatracker.ietf.org/doc/html/rfc8032).

For macOS users, install the latest OpenSSL using Homebrew (or other package
manager of your choice) to be able to generate a ED25519 key pair. The LibreSSL
version that is included in macOS does not support ED25519.


```sh
brew install openssl
/usr/local/opt/openssl@3/bin/openssl version
```

In the following examples, replace `openssl` with `/usr/local/opt/openssl@3/bin/openssl`.

Private key generation with passphrase protection, as supported by the [HTTP signature proxy](https://github.com/upvestco/httpsignature-proxy):


```sh
openssl genpkey -algorithm ed25519 -aes256 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519.priv
```

Make sure to store the private key and the passphrase in a safe place.

Public key extraction:


```sh
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519.priv > upvest-investment-api-http-message-signing-key-ed25519.pub
```

The `upvest-investment-api-http-message-signing-key-ed25519.pub` file is the public key which you will submit to Upvest during the API credentials issuance process.

**Less secure** alternative:

Upvest recommends against it, but if you must, you *can* generate the private key without encrypting it. (Also, this is **not** supported by the [HTTP signature proxy](https://github.com/upvestco/httpsignature-proxy).)

Private key generation **without** passphrase protection:


```sh
openssl genpkey -algorithm ed25519 -outform PEM -out upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv
```

You can then encrypt it in a separate step after creation:


```sh
openssl pkey -aes256 -inform PEM -outform PEM -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv -out upvest-investment-api-http-message-signing-key-ed25519.priv
```

Public key extraction:


```sh
openssl pkey -pubout -in upvest-investment-api-http-message-signing-key-ed25519-unencrypted.priv > upvest-investment-api-http-message-signing-key-ed25519.pub
```