sign - sign
Creates a signature from a digest using the specified key.
The SIGN operation is applicable to asymmetric and symmetric keys stored in Azure Key Vault since this operation uses the private portion of the key. This operation requires the keys/sign permission.
POST {vaultBaseUrl}/keys/{key-name}/{key-version}/sign?api-version=2025-07-01URI Parameters
| Name | In | Required | Type | Description |
|---|---|---|---|---|
|
key-name
|
path | True |
string |
The name of the key. |
|
key-version
|
path | True |
string |
The version of the key. |
|
vault
|
path | True |
string (uri) |
|
|
api-version
|
query | True |
string minLength: 1 |
The API version to use for this operation. |
Request Body
| Name | Required | Type | Description |
|---|---|---|---|
| alg | True |
The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. |
|
| value | True |
string (base64url) |
The value to operate on. |
Responses
| Name | Type | Description |
|---|---|---|
| 200 OK |
The request has succeeded. |
|
| Other Status Codes |
An unexpected error response. |
Security
OAuth2Auth
Type:
oauth2
Flow:
implicit
Authorization URL:
https://login.microsoftonline.com/common/oauth2/authorize
Scopes
| Name | Description |
|---|---|
| https://vault.azure.net/.default |
Examples
Sign
Sample request
POST https://myvault.vault.azure.net//keys/testkey/9885aa558e8d448789683188f8c194b0/sign?api-version=2025-07-01
{
"alg": "RS512",
"value": "RUE3Nzg4NTQ4QjQ5RjFFN0U2NzAyQzhDNEMwMkJDOTA1MTYyOTUzNjI5NDhBNzZDQTlFOTM1NDA2M0ZGMjk2Mg"
}
Sample response
{
"kid": "https://myvault.vault.azure.net/keys/testkey/9885aa558e8d448789683188f8c194b0",
"value": "aKFG8NXcfTzqyR44rW42484K_zZI_T7zZuebvWuNgAoEI1gXYmxrshp42CunSmmu4oqo4-IrCikPkNIBkHXnAW2cv03Ad0UpwXhVfepK8zzDBaJPMKVGS-ZRz8CshEyGDKaLlb3J3zEkXpM3RrSEr0mdV6hndHD_mznLB5RmFui5DsKAhez4vUqajgtkgcPfCekMqeSwp6r9ItVL-gEoAohx8XMDsPedqu-7BuZcBcdayaPuBRL4wWoTDULA11P-UN_sJ5qMj3BbiRYhIlBWGR04wIGfZ3pkJjHJUpOvgH2QajdYPzUBauOCewMYbq9XkLRSzI_A7HkkDVycugSeAA"
}Definitions
| Name | Description |
|---|---|
| Error | |
|
Json |
The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. |
|
Key |
The key operation result. |
|
Key |
The key operations parameters. |
|
Key |
The key vault error exception. |
Error
| Name | Type | Description |
|---|---|---|
| code |
string |
The error code. |
| innererror |
The key vault server error. |
|
| message |
string |
The error message. |
JsonWebKeySignatureAlgorithm
The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm.
| Value | Description |
|---|---|
| PS256 |
RSASSA-PSS using SHA-256 and MGF1 with SHA-256, as described in https://tools.ietf.org/html/rfc7518 |
| PS384 |
RSASSA-PSS using SHA-384 and MGF1 with SHA-384, as described in https://tools.ietf.org/html/rfc7518 |
| PS512 |
RSASSA-PSS using SHA-512 and MGF1 with SHA-512, as described in https://tools.ietf.org/html/rfc7518 |
| RS256 |
RSASSA-PKCS1-v1_5 using SHA-256, as described in https://tools.ietf.org/html/rfc7518 |
| RS384 |
RSASSA-PKCS1-v1_5 using SHA-384, as described in https://tools.ietf.org/html/rfc7518 |
| RS512 |
RSASSA-PKCS1-v1_5 using SHA-512, as described in https://tools.ietf.org/html/rfc7518 |
| HS256 |
HMAC using SHA-256, as described in https://tools.ietf.org/html/rfc7518 |
| HS384 |
HMAC using SHA-384, as described in https://tools.ietf.org/html/rfc7518 |
| HS512 |
HMAC using SHA-512, as described in https://tools.ietf.org/html/rfc7518 |
| RSNULL |
Reserved |
| ES256 |
ECDSA using P-256 and SHA-256, as described in https://tools.ietf.org/html/rfc7518. |
| ES384 |
ECDSA using P-384 and SHA-384, as described in https://tools.ietf.org/html/rfc7518 |
| ES512 |
ECDSA using P-521 and SHA-512, as described in https://tools.ietf.org/html/rfc7518 |
| ES256K |
ECDSA using P-256K and SHA-256, as described in https://tools.ietf.org/html/rfc7518 |
KeyOperationResult
The key operation result.
| Name | Type | Description |
|---|---|---|
| aad |
string (base64url) |
Additional data to authenticate but not encrypt/decrypt when using authenticated crypto algorithms. |
| iv |
string (base64url) |
Cryptographically random, non-repeating initialization vector for symmetric algorithms. |
| kid |
string |
Key identifier |
| tag |
string (base64url) |
The tag to authenticate when performing decryption with an authenticated algorithm. |
| value |
string (base64url) |
The result of the operation. |
KeySignParameters
The key operations parameters.
| Name | Type | Description |
|---|---|---|
| alg |
The signing/verification algorithm identifier. For more information on possible algorithm types, see JsonWebKeySignatureAlgorithm. |
|
| value |
string (base64url) |
The value to operate on. |
KeyVaultError
The key vault error exception.
| Name | Type | Description |
|---|---|---|
| error |
The key vault server error. |