sig/post

session required
POST
https://keybase.io/_/api/1.0/sig/post.json
SAMPLE PARAMS
sig : "----- BEGIN PGP MESSAGE ----- ..."
remote_username : "maxtaco"          # Or "remote_hostname" if a generic web site
type : "web_service_binding.twitter" # "web_service_binding.generic"
SAMPLE OUTPUT
{
   "status" : {
      "code" : 0,
      "name" : "OK"
   },
  "proof_text": "Verifying myself: I am maxtaco on Key...",
  "sig_id": "2232c5e872bce853606daae410ea3516999539c79...",
  "proof_id": "24be5e265b1ff1be02a70310",
  "payload_hash": "c450220f5235fcb646a66dfb4225dd65334...",
  "csrf_token": "lgHZIDVhMjYwOTQ3OTM5OGNhODljYzRhNzQ1M..."
}

sig/post

Post a signature announcement to the server. Signature types supported: proofs (Twitter, GitHub, Reddit, Hacker News, generic web sites, etc.), key self-signatures, and bitcoin address announcements.

Signature Payload

The payload of the signature contains the usual elements of other Keybase signatures. It's easiest to see the fields by example:

{
   "body" : {
      "client" : {
        "name" : "keybase.io web",
        "version" : "0.0.2"
      },
      "key" : {
         "host" : "keybase.io",
         "kid" : "01013e38849abc98273491a2...",
         "uid" : "8f92574deebe4e7fde4aa9b7...",
         "username" : "max",
      },
       "service" : {
         "name" : "twitter",
         "username" : "maxtaco"
      },
      "type" : "web_service_binding",
      "version" : 1,
   },
   "ctime" : 1396309471,
   "expire_in" : 157680000,
   "seqno" : 4,
   "prev" : "4ca4ce5d632a9cbcb7eb67a18a107...",
   "tag" : "signature"
}

All signature packets should have a ctime, expire_in, prev, seqno, tag, and body at the top level. The first two fields contain the creation time (in UTC) and an expiration in seconds. The prev and seqno point to the previous public signature the user made; see the sig/next_seqno endpoint for a convenient way to retrieve these from the server. The tag field is set for all signatures to be "signature". In the future, there might be other payload tag types.

The body object contains the meat of what is being signed:

  • body.client --- Optional, for the user to keep track of which client generated the signature.
  • body.key --- Mandatory, a description of the key and user signing the object.
  • body.service --- Mandatory for Twitter, Github and generic web site verifications. For Twitter and GitHub, the service object is as shown. For web sites, the service object contains two name-value pairs for protocol and hostname.
  • body.type --- For positive proofs of Web identities, this field is always "web_service_binding".
  • body.version --- Always 1, for now.

This JSON object should be sorted, and then signed with the referenced key, and then PGP-armored. The result is sent to the server in the sig param.

The output of the call is a JSON object, containing the proof text that should be posted, the internal IDs of the signature and proof, and the hash of the PGP signature's payload (ignoring header comments and checksum). The other fields are standards.


Pssst, we're hiring.