Skip to main content
The addresses REST API endpoints return signatures of the address strings and other metadata that prove the address was generated by Anchorage Digital for your organization.
Verify the address signature and all accompanying metadata before using any address. This confirms authenticity and integrity.

Signature schemes

The API supports two address verification schemes. Check the signatureVersion field to determine which applies.

V1 address signature verification

Steps

  1. Verify the signature:
    • Decode addressSignaturePayload from hex to bytes.
    • Decode signature from hex to bytes.
    • Using your organization’s fixed public key, verify that signatureBytes is a valid Ed25519 signature of addressSignaturePayloadBytes.
  2. Verify the signed address matches the address to be used:
    • Decode addressSignaturePayload from hex to bytes.
    • Parse the bytes as JSON.
    • Verify the address matches the TextAddress property in the JSON.
Validating the signature alone is insufficient. You must also confirm that TextAddress in the decoded payload matches the address you intend to use.

V1 signed payload fields

Sample V1 validation code


V2 address signature verification

Addresses with signatureVersion: V2 include a certChain field containing an X.509 certificate chain in PEM format.

Steps

  1. Verify the certificate chain:
    • Parse certChain as PEM-encoded X.509 certificates.
    • Verify the chain from the leaf to the trusted Anchorage Digital Root CA.
    • Verify all certificates are temporally valid (both notAfter and notBefore).
    • Verify the leaf certificate’s Subject Alternative Names include address-provider.anchorage.internal.
    • Verify the leaf certificate’s KeyUsage includes both digitalSignature and nonRepudiation (also known as contentCommitment).
    • Extract the public key from the leaf certificate. Currently only Ed25519 keys are supported, but this may change.
    The leaf certificate is at index 0, followed by zero or more intermediates. The root cert is excluded from the response. The number of certificates in the chain may change. Follow standard X.509 verification procedures — not all libraries perform all checks by default.
  2. Verify the signature:
    • Decode addressSignaturePayload from hex to bytes.
    • Decode signature from hex to bytes.
    • Using the leaf certificate’s public key, verify signatureBytes is a valid signature of the payload bytes.
  3. Verify the signed details:
    • Parse addressSignaturePayload bytes as JSON.
    • Verify SignatureExpiresAt ≥ current UTC Unix timestamp.
    • Verify TextAddress matches the address to be used.
    • Verify VaultId matches your expected Vault ID.
    • Verify NetworkId matches the expected network for this address.
    NetworkName is included for human readability and does not need to be verified. Do not use a “strict” JSON parser that rejects extra properties — future versions may add fields.
    Anchorage Digital periodically refreshes V2 signatures and the Address Signing Root CA before expiration. The deposit address itself will not change — only the signature, certificate chain, and Root CA are updated.

V2 signed payload fields

Anchorage Digital Address Signing Root CAs

Hard-code the appropriate Root CA for the environment you are targeting. This value must be tamper-proof.

Sample V2 validation code