What are we signing in the 'signature' field for OpenSea API

Question

There is a signature field here: https://docs.opensea.io/v2.0/reference/create-an-order

I understand the caller/lister has a private key. But what exactly is the content of the message that they're signing and putting in the signature field? Is it the whole message? The hash of the message? Something else?

I understand the whole API call is giving permission to OpenSea to transfer your NFT as long as it sells for the given price and the signature is there to prove that you're who you are.

Answer 1

From my understanding, it is the whole message.

You need to use a library using the same signature algorithm than the ethereum network (like ethers or web3) based on ECDSA. You sign the whole message passed over the network with this algorithm and your private key to allow the ethereum network to verify your identity with the public key associated with your wallet address.

Code example with web3.js library in javascript :

const ethers = require('ethers'); // library to install with npm
const params = require('./parameters.json'); // your params sent with POST request

let privateKey = <your private key here>;

async function sign(params, privateKey) {
    let data = JSON.stringify(params); // Convert the order object to a JSON string
    let wallet = new ethers.Wallet(privateKey); // Create a new wallet instance

    let signature = await wallet.signMessage(data); // Sign the order data

    return signature;
}

sign(params, privateKey)
    .then(signature => console.log(signature))
    .catch(error => console.error(error));

Of course you need to replace the private key with the one in your wallet.