--- title: Key Management API description: "Use the Key Management API to create and retrieve keypairs that are required when adding digital signatures to selected eBay API calls. The signing\\_key resource lets developers create new signing keypairs, retrieve a specific signing keypair by ID, and retrieve metadata for all signing keypairs associated with the application key making the call. The Key Management API is used for APIs that access confidential financial information and require a digital signature for HTTP calls made on behalf of EU/UK sellers." api_version: v1.0.0 api_name: key_management_api api_type: REST api_group: sell/key_management_api source_url: html: https://developer.ebay.com/develop/api/sell/key_management_api md: https://developer.ebay.com/develop/api/sell/key_management_api.md --- # Key Management API API Use the Key Management API to create and retrieve keypairs that are required when adding digital signatures to selected eBay API calls. The signing\_key resource lets developers create new signing keypairs, retrieve a specific signing keypair by ID, and retrieve metadata for all signing keypairs associated with the application key making the call. The Key Management API is used for APIs that access confidential financial information and require a digital signature for HTTP calls made on behalf of EU/UK sellers. ## API Information **Title:** Key Management API **Version:** v1.0.0 **Description:** Due to regulatory requirements applicable to our EU/UK sellers, for certain APIs, developers need to add digital signatures to the respective HTTP call. The Key Management API creates keypairs that are required when creating digital signatures for the following APIs: * All methods in the [Finances API](/develop/api/sell/finances_api) * [issueRefund](/api-docs/sell/fulfillment/resources/order/methods/issueRefund) in the Fulfillment API * [GetAccount](/Devzone/XML/docs/Reference/eBay/GetAccount.html) in the Trading API * The following methods in the Post-Order API: * [Issue Inquiry Refund](/Devzone/post-order/post-order_v2_inquiry-inquiryid_issue_refund__post.html) * [Issue case refund](/Devzone/post-order/post-order_v2_casemanagement-caseid_issue_refund__post.html) * [Issue return refund](/Devzone/post-order/post-order_v2_return-returnid_issue_refund__post.html) * [Process Return Request](/Devzone/post-order/post-order_v2_return-returnid_decide__post.html) * [Approve Cancellation Request](/devzone/post-order/post-order_v2_cancellation-cancelid_approve__post.html) * [Create Cancellation Request](/devzone/post-order/post-order_v2_cancellation__post.html) **Note:** For additional information about keypairs and creating Message Signatures, refer to [Digital Signatures for APIs](/develop/guides/digital-signatures-for-apis). **Base Path:** /developer/key_management/v1 ## API Methods The following API methods are available: ### getSigningKeys #### GET /signing_key **Description:** This method returns the **Public Key**, **Public Key as JWE**, and metadata for all keypairs associated with the application key making the call. **Note:** It is important to note that `privateKey` values are **not** returned. In order to further ensure the security of confidential client information, eBay does **not** store `privateKey` values in any system. If a developer loses their `privateKey` they must generate new keypair set using the `createSigningKey` method. **OAuth scope** This request requires an access token created with the **Client Credentials Grant** flow, using one or more scopes from the following list (please check your Application Keys page for a list of OAuth scopes available to your application): **Required Scopes:** **Client Credentials Grant:** - `https://api.ebay.com/oauth/api_scope` ### createSigningKey #### POST /signing_key **Description:** This method creates keypairs using one of the following ciphers: * ED25519 (Edwards Curve) * RSA **Note:** The recommended signature cipher is **ED25519** (Edwards Curve) since it uses much shorter keys and therefore decreases the header size. However, for development frameworks that do not support ED25519, RSA is also supported. Following a successful completion, the following keys are returned: * Private Key * Public Key * Public Key as JWE Once keypairs are created, developers are **strongly advised** to create and store a local copy of each keypair for future reference. Although the **Public Key**, **Public Key as JWE**, and metadata for keypairs may be retrieved by the `getSigningKey` and `getSigningKeys` methods, in order to further ensure the security of confidential client information, eBay does not store the **Private Key** value in any system. If a developer loses their **Private Key** they must generate new keypairs using the `createSigningKey` method. **Note:** For additional information about using keypairs, refer to [Digital Signatures for APIs](/develop/guides/digital-signatures-for-apis). **Parameters:** - **Content-Type** (string) *required* - This header indicates the format of the request body provided by the client. Its value should be set to **application/json**. For more information, refer to [HTTP request headers](/develop/guides-v2/using-ebay-restful-apis#request-components). **OAuth scope** This request requires an access token created with the **Client Credentials Grant** flow, using one or more scopes from the following list (please check your Application Keys page for a list of OAuth scopes available to your application): **Required Scopes:** **Client Credentials Grant:** - `https://api.ebay.com/oauth/api_scope` ### getSigningKey #### GET /signing_key/{signing_key_id} **Description:** This method returns the **Public Key**, **Public Key as JWE**, and metadata for a specified `signingKeyId` associated with the application key making the call. **Note:** It is important to note that the `privateKey` value is **not** returned. In order to further ensure the security of confidential client information, eBay does **not** store the `privateKey` value in any system. If a developer loses their `privateKey` they must generate new keypairs using the `createSigningKey` method. **Parameters:** - **signing_key_id** (string) *required* - The system-generated eBay ID of the keypairs being requested. **OAuth scope** This request requires an access token created with the **Client Credentials Grant** flow, using one or more scopes from the following list (please check your Application Keys page for a list of OAuth scopes available to your application): **Required Scopes:** **Client Credentials Grant:** - `https://api.ebay.com/oauth/api_scope` ## Error Codes The following error codes may be returned by this API: ### REQUEST Errors #### 210005 - API_KEYS **Description:** You must request with a token having valid application client id. #### 210001 - API_KEYS **Description:** You must supply a valid signing key cipher. Allowed values are ED25519 and RSA. #### 210006 - API_KEYS **Description:** You must request for new signing key with valid request payload. #### 210002 - API_KEYS **Description:** The signing key with id {signingKeyId} was not found. ### APPLICATION Errors #### 210000 - API_KEYS **Description:** There was a problem with an eBay internal system or process. Contact eBay developer support for assistance. ## Types ### CreateSigningKeyRequest **Description:** This request creates a new signing key. **Type:** object **Properties:** - **signingKeyCipher** (SigningKeyCipher) - The enumerated value for the cipher to be used to create the signing key. Refer to **SigningKeyCipher** for the list of supported enum values. ### QuerySigningKeysResponse **Description:** This container stores metadata information for all keypairs that are owned by a user. **Type:** object **Properties:** - **signingKeys** (array) - An array of metadata information for keypairs owned by a user. ### SigningKey **Description:** This container stores metadata for a signing key. **Type:** object **Properties:** - **creationTime** (integer) - The UNIX timestamp when the `SigningKey` was created. This time is represented as the number of seconds from "1970-01-01T00:00:00Z", as measured in UTC, until the date and time the `SigningKey` was created. - **expirationTime** (integer) - The UNIX timestamp when the `SigningKey` expires. This time is represented as the number of seconds from "1970-01-01T00:00:00Z", as measured in UTC, until the date and time the `SigningKey` expires. **Note:** All keys have an expiration date of three (3) years after their `creationTime`. - **jwe** (string) - This is the JSON Web Encrypted (JWE) value for the `publicKey`. - **privateKey** (string) - This is the Private Key that has been generated using the specified `signingKeyCipher`. **Note:** The `privateKey` value will **only** be returned in the response payload of the `createSigningKey` method. It will _never_ be returned by the `getSigningKey` or `getSigningKeys` methods. Developers are **strongly advised** to download their `privateKey` value as Privacy Enhance Mail (PEM) format and store it locally for future reference. In order to guarantee the security of confidential client information, eBay does not store `privateKey` values on any system. **Note:** If a developer loses their `privateKey` they must generate new keypair set using the `createSigningKey` method. - **publicKey** (string) - This is the Public Key that has been generated using the specified `signingKeyCipher`. As a matter of good practice, developers are **strongly advised** to download this value and store it locally for safe-keeping and future reference. - **signingKeyCipher** (SigningKeyCipher) - Indicates the cipher used to create the keypairs. Refer to **SigningKeyCipher** for the list of supported enum values. - **signingKeyId** (string) - The system-generated eBay ID for the keypairs. ### SigningKeyCipher **Description:** This enumerated type lists the supported ciphers that can be used when creating new keypairs. | - **ED25519**: Represents the Ed25519 algorithm as specified in [RFC 8032](https://www.rfc-editor.org/rfc/rfc8032). - **RSA**: Represents the RSASSA-PKCS1-v1\_5 algorithm as specified in [RFC 3447](https://www.rfc-editor.org/rfc/rfc3447). **Type:** string ## Rate Limits See [API Call Limits](https://developer.ebay.com/develop/get-started/api-call-limits) on the eBay Developer Program. ## Resources ### Documentation - [eBay Developer Program](https://developer.ebay.com/) - [API Documentation](https://developer.ebay.com/develop/api/) - [SDKs and Widgets](https://developer.ebay.com/develop/sdks-and-widgets) - [Developer Community Forum](https://community.ebay.com/t5/Developer-Groups/ct-p/developergroup) ### Tools - [API Explorer](https://developer.ebay.com/my/api_test_tool) - [GraphQL Explorer](https://developer.ebay.com/my/graphql_explorer) ### Support - [Developer Support](https://developer.ebay.com/support/) - [API Status](https://developer.ebay.com/support/api-status) - [Release Notes](https://developer.ebay.com/develop/api/release_notes/) --- *Generated on 2026-06-17T08:55:08.776Z*