Add missing chains

View as MarkdownOpen in Claude
A user's wallet set is fixed at `/create` time, so a user created before a chain was configured has no address on it. `/extend` derives and inserts wallets for the **missing chains only**. The server proves ownership before adding anything: the mnemonic must derive one of the user's stored addresses (otherwise `403`), and the password must decrypt an existing keystore entry (otherwise `401`). Idempotent — when nothing is missing you get `added: []`. The mnemonic is never returned or stored.

Authentication

AuthorizationBearer

A 15-minute token from /auth. Required on every endpoint except /auth.

Headers

X-Request-IdstringOptional
Correlation id. Generated if omitted, echoed on every response, and written to the audit log.
X-USER-IDstringOptionalformat: "^[0-9a-fA-F]{24}$"

Sent by the trusted gateway. When present it overrides any userId in the body.

Request

This endpoint expects an object.
userIdstringRequiredformat: "^[0-9a-fA-F]{24}$"

24-character hex id, returned by /create.

existingSeedstringRequired

bip39 seed phrase, validated with bip39.validateMnemonic.

passwordstringRequired>=8 characters

Keystore password (AES-256-GCM, scrypt KDF). Unrecoverable — required by /send and /extend.

Response

OK
resultobject
requestIdstring

Echo of the inbound X-Request-Id, or a generated one.

Errors

400
Bad Request Error
401
Unauthorized Error
403
Forbidden Error
409
Conflict Error