Download OpenAPI specification:Download
ScriptSig is a bitcoin custody and cosigning service enabling wallet developers to provide an extra layer
of security for their end-users by utilizing multisignature addresses. We differ from other third-party custody services by supplying
public keys directly to your application, giving you full control to create any m-of-n multisignature address instead
of restricting you to using just a 2-of-3 signature scheme.
The ScriptSig API implements the necessary endpoints needed for allowing your application to generate multisignature addresses and to retrieve transaction signatures. We've implemented BIP-174 as a standard way for passing around and cosigning unsigned transactions generated by your application.
Get an extended public key (xpub)
Make a request to the /provision-extended-key-pair endpoint. This will associate a BIP-32 extended key pair with the user's account
and return the extended public key while we secure the extended private key. Your application will then derive public
keys from the xpub and use them when creating P2SH multisignature addresses by combining them with keys generated
by your application and other third-party cosigners if applicable.
Request a transaction to be cosigned
When a signature is needed on a transaction spending from a previously created multisignature address, your
application will send a BIP-174 PSBT to the /cosign endpoint. This will create a cosigning request for this transaction that the
user will then need to approve via the ScriptSig website.
Retrieve signature
Once the cosigning request is approved by the user, you can retrieve the signed PSBT by calling the /view-cosigning-request/{id}
endpoint. Combine the signature provided by ScriptSig with signatures from your application and any other cosigners,
then broadcast the transaction to the Bitcoin network.
We are currently only supporting the PSBT key-value pairs that are necessary to implement the signing for a non-witness, P2SH multisig transaction using extended public keys.
When sending a PSBT to the /cosign endpoint, each input must satisfy either of the following:
There must be at least one input that is signable by ScriptSig.
| PSBT Input Key | |
|---|---|
| 0x00 - PSBT_IN_NON_WITNESS_UTXO | Supported |
| 0x01 - PSBT_IN_WITNESS_UTXO | Not supported yet |
| 0x02 - PSBT_IN_PARTIAL_SIG | Supported |
| 0x03 - PSBT_IN_SIGHASH_TYPE | Supported |
| 0x04 - PSBT_IN_REDEEM_SCRIPT | Supported - MUST be a P2SH multisignature script |
| 0x05 - PSBT_IN_WITNESS_SCRIPT | Not supported yet |
| 0x06 - PSBT_IN_BIP32_DERIVATION | Supported |
| 0x07 - PSBT_IN_FINAL_SCRIPTSIG | Not supported yet |
Currently, output key-value pairs must either be empty, or only specify PSBT_OUT_REDEEM_SCRIPT (0x00) and/or PSBT_OUT_BIP32_DERIVATION (0x02) keys.
| PSBT Output Key | |
|---|---|
| 0x00 - PSBT_OUT_REDEEM_SCRIPT | Supported |
| 0x01 - PSBT_OUT_WITNESS_SCRIPT | Not supported yet |
| 0x02 - PSBT_OUT_BIP32_DERIVATION | Supported |
Only P2SH multisignature scripts are supported for signing by ScriptSig.
All calls to the API must include the following media type in the Accept header: application/json; version=1.
When your end-user creates a ScriptSig account and wishes to connect to your application, they will generate a cryptographically secure API key via their Account Settings.
When your application communicates with ScriptSig on the user's behalf, you'll use HTTP Basic Authentication with an empty password and the API key set as the username.
Given the API key: 24VGVUq43A2tEaQfRbJBWC
The basic authentication credentials should be set to the base64 encoding of 24VGVUq43A2tEaQfRbJBWC:
Authorization: Basic MjRWR1ZVcTQzQTJ0RWFRZlJiSkJXQzo=| Security Scheme Type | HTTP |
|---|---|
| HTTP Authorization Scheme | basic |
Provisions a BIP-32 extended key pair on behalf of the authenticated user. ScriptSig secures the extended private key and returns the corresponding extended public key(s) and the master node identifier as defined by BIP-32.
| Accept required | string Example: application/json; version=1 |
| Authorization required | string Example: Basic MjRWR1ZVcTQzQTJ0RWFRZlJiSkJXQzo= |
| paths | Array of strings [ 1 .. 5 ] items Default: ["M"] BIP-32 derivation paths specifying which xpub keys should be returned. The response object will contain a key for each path and the corresponding xpub key. All paths must begin with and uppercase "M". A maximum of 5 paths are accepted. |
| network | string Default: "mainnet" Enum: "testnet" "mainnet" |
{- "paths": [
- "M",
- "M/44'/0'/0'"
]
}{- "masterNodeId": "2f0c574735015f6595de725eec8c3a9c218dc081",
- "M": "xpub661MyMwAqRbcG2LCGjoznJZKjYg4g17PcYNQFF23mY4YGMiPcpYMtaN8fkaCeVz5L8x4r5tbDnEMtZ7sFhBVuSNgXRrDptcXUMYxsr6zzWD",
- "M/44'/0'/0'": "xpub6DUnfSPhy2mpjMEtt6ZpAzQQBaxHLBzPsnuE3ZQ9Zsmpr1nMM58gBnxdcZ7VKMHVhZDntRuCgLbENdoyqqBNTwVTmbXsn9nLB2mX85PoD2y"
}Accepts a PSBT generated from your application and creates a Cosigning Request for the user to approve via the ScriptSig website.
| Accept required | string Example: application/json; version=1 |
| Authorization required | string Example: Basic MjRWR1ZVcTQzQTJ0RWFRZlJiSkJXQzo= |
| network | string Default: "mainnet" Enum: "testnet" "mainnet" |
| psbt | string <hex> Hex-encoded BIP-174 PSBT |
{- "network": "testnet",
- "psbt": "70736274ff0100550100000001d6950d057ba8614037373b7c621300f61f2651f35df2ed500cfa3af032d2985d0000000000ffffffff01983a0000000000001976a914fbd29008ae30a4ffa3ff885bc6cf314b3f18157988ac00000000000100bd0100000001dba61bee62b98ece4890ba00aa0c91addf1793761ba4c5cd42ad926f3b09aa7d000000006a47304402201e1e231bc9584017bd24f3b9c42bf75d86a52b9098c03c5bcbd07f1c6144fd0f0220283ff4a5a76bac499dd9e7a4da359d926ca12bbe0f38fe4b67b3b388e2d5bf8e012102822beac76f22e749fa43ea0f82690bf8b0fc2b5dbc64a6ddafffb2a0f6eb2b51ffffffff01a08601000000000017a91494a35fe5f156ba4125ebb25af14faed5c9d4458c870000000001030401000000010447512103369f38cc937e758a7f93e06e6620b8dcac323e378be3ef46581a9ecc6e75d24d210252b8359f012218b54e0aee1053555c03ee2383a6b0cef69b81c40b8ccc49ced052ae220603369f38cc937e758a7f93e06e6620b8dcac323e378be3ef46581a9ecc6e75d24d0c71a8eb3000000000000000000000"
}{- "id": "3Sy9TipxUsQA1bcrqwIy3Z"
}View status of cosigning request. If it has been accepted by the user then the response body will contain a PSBT with relevant signatures.
| Accept required | string Example: application/json; version=1 |
| Authorization required | string Example: Basic MjRWR1ZVcTQzQTJ0RWFRZlJiSkJXQzo= |
{- "id": "3Sy9TipxUsQA1bcrqwIy3Z",
- "psbt": "70736274ff0100550100000001d6950d057ba8614037373b7c621300f61f2651f35df2ed500cfa3af032d2985d0000000000ffffffff01983a0000000000001976a914fbd29008ae30a4ffa3ff885bc6cf314b3f18157988ac00000000000100bd0100000001dba61bee62b98ece4890ba00aa0c91addf1793761ba4c5cd42ad926f3b09aa7d000000006a47304402201e1e231bc9584017bd24f3b9c42bf75d86a52b9098c03c5bcbd07f1c6144fd0f0220283ff4a5a76bac499dd9e7a4da359d926ca12bbe0f38fe4b67b3b388e2d5bf8e012102822beac76f22e749fa43ea0f82690bf8b0fc2b5dbc64a6ddafffb2a0f6eb2b51ffffffff01a08601000000000017a91494a35fe5f156ba4125ebb25af14faed5c9d4458c8700000000220203369f38cc937e758a7f93e06e6620b8dcac323e378be3ef46581a9ecc6e75d24d483045022100aa9e5292083fc8e90cab6c15f793c64027ada0a876333f2c87846b7a85435cf6022015b9f851ccae85c9ce2d3404c5eaa2c852f0df76645e403b69112afbe4e07c390101030401000000010447512103369f38cc937e758a7f93e06e6620b8dcac323e378be3ef46581a9ecc6e75d24d210252b8359f012218b54e0aee1053555c03ee2383a6b0cef69b81c40b8ccc49ced052ae220603369f38cc937e758a7f93e06e6620b8dcac323e378be3ef46581a9ecc6e75d24d0c71a8eb3000000000000000000000",
- "network": "testnet",
- "status": "approved",
- "createdDateTime": "2020-05-21T19:15:50Z",
- "approvedDateTime": "2020-05-21T23:11:44Z"
}