Create a delegated signing key

Delegate Spark token-transaction signing authority for a card backed by an Embedded Wallet internal account to a Grid-custodied P-256 API key. Grid derives the wallet funding account from the card’s funding sources, generates the keypair server-side, creates a non-root Turnkey user holding the public key, then a policy granting that user signing authority. The private key is custodied by Grid and never returned. Both activities must be authorized by the wallet owner, so creation is a three-leg signed-retry flow:

1. Call POST /auth/delegated-keys with no signature headers. Grid generates the delegated keypair and the response is 202 with a payloadToSign, requestId, and expiresAt.

2. Use the session API keypair of a verified credential on the card’s Embedded Wallet funding account to build an API-key stamp over payloadToSign, then retry the same request with that full stamp as the Grid-Wallet-Signature header and the requestId echoed back as the Request-Id header. The response is a second 202 with a new payloadToSign, requestId, and expiresAt.

3. Stamp the new payloadToSign with the same session keypair and retry once more with the new Request-Id. The signed retry returns 201 with the created DelegatedKey in ACTIVE status.

The same request body must be sent on all three legs. A flow abandoned after the second leg leaves the key in PENDING status: the delegated user exists but holds no policy, so it cannot sign. After activation, Grid uses the custodied key to authorize signing for that card’s Embedded Wallet funding account in place of a session keypair; the platform never handles the key material.

Each card may have at most one non-revoked delegated key (ACTIVE or PENDING) for its Embedded Wallet funding account; revoke the existing key before creating a new one. A delegated key authorizes raw-payload signing for the wallet and cannot be scoped to amounts or recipients by Turnkey. Revoke it with DELETE /auth/delegated-keys/{id} when no longer needed.