# External Signing

How to perform deploy and run scenarios without disclosing the private key

* [When you may need it?](#when-you-may-need-it)
  * [Patterns](#patterns)
* [Use signingBox interface](#use-signingbox-interface)
  * [Sample source code](#sample-source-code)
* [Sign message outside sdk](#sign-message-outside-sdk)
  * [Sample source code](#sample-source-code-1)

## When you may need it?

Sometimes there is no access to the private key - for instance if an application signs data using HSM module or NFC card that does not disclose the private key but provides some API for signing.

### Patterns

There are 2 patterns to implement such scenario:

* use `signingBox` interface to sign message. It will allow you to invoke an API of your signing device during message creation.
* sign message separately - this approach will allow you to separate message creation into 3 steps: create unsigned message, sign it, and attach signature.

Read below for more details.

## Use signingBox interface

Developer needs to create an implementation of this interface in their project and pass it to SDK.

The implementation may incapsulate invoking of some external API, such as HSM of NFC Card.

```javascript
export interface AppSigningBox {
    get_public_key(): Promise<ResultOfAppSigningBoxGetPublicKey>,
    sign(params: ParamsOfAppSigningBoxSign): Promise<ResultOfAppSigningBoxSign>,
}
```

where

```javascript
type ResultOfAppSigningBoxGetPublicKey = {
    public_key: string
}

type ParamsOfAppSigningBoxSign = {
    unsigned: string
}

type ResultOfAppSigningBoxSign = {
    signature: string
}
```

All the methods that create messages - `encode_message`, `process_message` can take [Signer of type SigningBox object](/ever-sdk/reference/types-and-methods/mod_abi.md#signer), implementing this interface, instead of a key pair.

### Sample source code

**Core sample**

<https://github.com/everx-labs/sdk-samples/tree/master/core-examples/node-js/signingBox>

**AppKit sample**

<https://github.com/everx-labs/sdk-samples/tree/master/appkit-examples/signing-box>

## Sign message outside sdk

In this case you may create an unsigned message with `encode_message` function, specifying Signer of type `External` . After that you sign it somewhere outside and attach signature with [attach\_signature](/ever-sdk/reference/types-and-methods/mod_abi.md#attach_signature) function.

### Sample source code

We will upload a sample with it later. If you need it in your work, please write in [SDK telegram channel](https://t.me/ever_sdk).


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.everos.dev/ever-sdk/guides/work_with_contracts/external_signing.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.