> ## Documentation Index > Fetch the complete documentation index at: https://support.fortanix.com/llms.txt > Use this file to discover all available pages before exploring further. # Sign with a private key. The key must be asymmetric and have the `SIGN` key operation enabled. > Note: Signing prehashed data with LMS keys When creating an LMS signature, the first step is to hash the message with a prefix that is unknown to the caller (see RFC8554, algorithm 3). As the caller cannot precompute this value, DSM follows different semantics for prehashed data. Namely, when the hash field is used, DSM will check the length of the digest and then feed it as raw data for the LMS signature generation. Consequently, if you hash your data using an algorithm such as SHA256 and then supply this digest to the LMS signing API (putting prehashed data in the `hash` field), DSM interprets the provided digest as raw data, and verification of the signature should be conducted accordingly. ## OpenAPI ````json POST /crypto/v1/sign { "openapi": "3.0.0", "info": { "title": "Fortanix DSM REST API", "description": "This is a set of REST APIs for accessing the Fortanix Data Security Manager. This includes APIs for managing accounts, and for performing cryptographic and key management operations. \n\n **Note:** \n- All binary input should be base64-encoded. These fields are marked with `format: byte`. \n- For forward compatibility, any API client is expected to ignore any fields in the response not explicitly mentioned in the documentation. We reserve the right to add new fields at any time to provide new functionality without affecting existing API clients.", "termsOfService": "https://www.fortanix.com/legal/terms/", "contact": { "name": "Fortanix Support", "url": "https://support.fortanix.com/", "email": "support@fortanix.com" }, "license": { "name": "Apache 2.0", "url": "http://www.apache.org/licenses/LICENSE-2.0.html" }, "version": "0.1.0-20260526" }, "servers": [ { "url": "https://amer.smartkey.io" } ], "paths": { "/crypto/v1/sign": { "post": { "operationId": "Sign", "tags": [ "Crypto" ], "security": [ { "bearerToken": [] }, { "apiKeyAuth": [] } ], "summary": "Sign with a private key. The key must be asymmetric and have the `SIGN`\nkey operation enabled.", "description": "Note: Signing prehashed data with LMS keys\n\nWhen creating an LMS signature, the first step is to hash the message\nwith a prefix that is unknown to the caller (see RFC8554, algorithm 3).\nAs the caller cannot precompute this value, DSM follows different\nsemantics for prehashed data. Namely, when the hash field is used, DSM\nwill check the length of the digest and then feed it as raw data for the\nLMS signature generation.\n\nConsequently, if you hash your data using an algorithm such as SHA256\nand then supply this digest to the LMS signing API (putting prehashed\ndata in the `hash` field), DSM interprets the provided digest as raw\ndata, and verification of the signature should be conducted accordingly.", "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SignRequest" } } } }, "responses": { "2XX": { "description": "Success result", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/SignResponse" } } } } } } } }, "components": { "schemas": { "SignRequest": { "allOf": [ { "type": "object", "description": "Request to sign data (or hashed data) using an asymmetric key.", "properties": { "key": { "$ref": "#/components/schemas/SobjectDescriptor" }, "hash_alg": { "$ref": "#/components/schemas/DigestAlgorithm" }, "hash": { "type": "string", "format": "byte", "description": "Hashed data to be signed. Either `hash` or `data` should be specified;\nit is an error to specify both or none.\nHash should be base64 encoded." }, "data": { "type": "string", "format": "byte", "description": "Data to be signed. Either `hash` or `data` should be specified; it is\nan error to specify both or none.\nData should be base64 encoded." }, "mode": { "$ref": "#/components/schemas/SignatureMode" }, "deterministic_signature": { "type": "boolean", "nullable": true, "description": "Whether signatures should be deterministic. Defaults to false. If\nspecified, the value must be compatible with the key's settings." }, "context": { "type": "string", "format": "byte", "description": "The context parameter to be provided to the sign algorithm.\n\nCurrently only ML-DSA keys accept a context parameter;\nthis parameter must not be specified for any other key types." } } } ] }, "SignResponse": { "allOf": [ { "type": "object", "description": "Response of a signing request.", "properties": { "kid": { "type": "string", "format": "uuid", "nullable": true, "description": "The ID of the key used for signing. Returned for non-transient keys" }, "signature": { "type": "string", "format": "byte", "description": "Signed data" } }, "required": [ "signature" ] } ] }, "SobjectDescriptor": { "description": "Uniquely identifies a persisted or transient sobject.", "oneOf": [ { "title": "SobjectDescriptorVariantKid", "type": "object", "properties": { "kid": { "type": "string", "format": "uuid" } }, "required": [ "kid" ] }, { "title": "SobjectDescriptorVariantName", "type": "object", "properties": { "name": { "type": "string", "maxLength": 4096, "pattern": "^[^\\n]*[^\\s\\n][^\\n]*$" } }, "required": [ "name" ] }, { "title": "SobjectDescriptorVariantTransientKey", "type": "object", "properties": { "transient_key": { "type": "string", "format": "byte" } }, "required": [ "transient_key" ] }, { "title": "SobjectDescriptorVariantInline", "type": "object", "properties": { "inline": { "$ref": "#/components/schemas/SobjectDescriptorInline" } }, "required": [ "inline" ] } ] }, "DigestAlgorithm": { "description": "A hash algorithm.", "type": "string", "enum": [ "BLAKE2B256", "BLAKE2B384", "BLAKE2B512", "BLAKE2S256", "RIPEMD160", "SSL3", "SHA1", "SHA224", "SHA256", "SHA384", "SHA512", "STREEBOG256", "STREEBOG512", "SHA3_224", "SHA3_256", "SHA3_384", "SHA3_512" ] }, "SignatureMode": { "description": "Signature mechanism", "oneOf": [ { "$ref": "#/components/schemas/RsaSignaturePadding" }, { "$ref": "#/components/schemas/MlDsaMode" } ] }, "SobjectDescriptorInline": { "allOf": [ { "type": "object", "properties": { "value": { "type": "string", "format": "byte" }, "obj_type": { "$ref": "#/components/schemas/ObjectType" } }, "required": [ "value", "obj_type" ] } ] }, "RsaSignaturePadding": { "description": "Type of padding to use for RSA signatures. The padding specified must adhere to the key's\nsignature policy. If not specified, the default based on the key's policy will be used.", "oneOf": [ { "title": "RsaSignaturePaddingVariantPss", "type": "object", "properties": { "PSS": { "$ref": "#/components/schemas/RsaSignaturePaddingPss" } }, "required": [ "PSS" ] }, { "title": "RsaSignaturePaddingVariantPkcs1V15", "type": "object", "properties": { "PKCS1_V15": { "type": "object", "properties": {} } }, "required": [ "PKCS1_V15" ] } ] }, "MlDsaMode": { "oneOf": [ { "$ref": "#/components/schemas/MlDsaModeVariantPure" }, { "$ref": "#/components/schemas/MlDsaModeVariantPreHash" }, { "$ref": "#/components/schemas/MlDsaModeVariantExternalMu" } ], "discriminator": { "propertyName": "variant", "mapping": { "PURE": "MlDsaModeVariantPure", "PRE_HASH": "MlDsaModeVariantPreHash", "EXTERNAL_MU": "MlDsaModeVariantExternalMu" } } }, "ObjectType": { "description": "Type of security object.", "type": "string", "enum": [ "AES", "ARIA", "DES", "DES3", "SEED", "RSA", "DSA", "EC", "KCDSA", "ECKCDSA", "BIP32", "SLIP10", "BLS", "OPAQUE", "HMAC", "LEDABETA", "ROUND5BETA", "SECRET", "LMS", "XMSS", "MLDSA", "MLDSABETA", "MLKEM", "MLKEMBETA", "CERTIFICATE", "PBE" ] }, "RsaSignaturePaddingPss": { "allOf": [ { "type": "object", "description": "Probabilistic Signature Scheme (PKCS#1 v2.1).", "properties": { "mgf": { "$ref": "#/components/schemas/Mgf" } }, "required": [ "mgf" ] } ] }, "MlDsaModeVariantPure": { "allOf": [ { "type": "object", "properties": { "variant": { "type": "string", "enum": [ "PURE" ] } }, "required": [ "variant" ] }, { "type": "object", "properties": {} } ] }, "MlDsaModeVariantPreHash": { "allOf": [ { "type": "object", "properties": { "variant": { "type": "string", "enum": [ "PRE_HASH" ] } }, "required": [ "variant" ] }, { "type": "object", "properties": {} } ] }, "MlDsaModeVariantExternalMu": { "allOf": [ { "type": "object", "properties": { "variant": { "type": "string", "enum": [ "EXTERNAL_MU" ] } }, "required": [ "variant" ] }, { "type": "object", "properties": {} } ] }, "Mgf": { "description": "Specifies the Mask Generating Function (MGF) to use.", "oneOf": [ { "title": "MgfVariantMgf1", "type": "object", "properties": { "mgf1": { "$ref": "#/components/schemas/MgfMgf1" } }, "required": [ "mgf1" ] } ] }, "MgfMgf1": { "allOf": [ { "type": "object", "description": "MGF1 algorithm", "properties": { "hash": { "$ref": "#/components/schemas/DigestAlgorithm" } }, "required": [ "hash" ] } ] } } } } ````