# Face Signing

Just as a private key can be used in cryptographic systems to sign a piece of data (usually its SHA256 hash), in Face PKI, a face, SensePrint, and a purpose ID can be used to sign some data.

The steps in this process are the following:

1. Generate a SHA256 hash of the data to be signed.
2. Base64 encode the SHA256 hash.
3. Send the Base64 encoded string to the server along with a SensePrint and a purpose ID.

The algorithm used for the signature is the Elliptic Curve Digital Signature Algorithm (ECDSA). Thus, the generated signtature can also be independently verified using a Face Certificate containing the public key for the same purpose ID.

As before, on the Swagger Docs page authorize using the API Key you setup earlier.

Expand the `/face-sign` section and then click the `Try it out` button as shown below:

<figure><img src="https://content.gitbook.com/content/3MaK792MtyPjO8jJjWM7/blobs/esSPG18nGqnfpvTCXfO0/swagger-face-sign.png" alt=""><figcaption><p>Using the /face-sign end-point</p></figcaption></figure>

Upon clicking `Try it out` you should be able to submit the data as shown below:

```json
{
  "data_sha256_base_64": "MHQCAQEEIKu0Xuf....",
  "face_base_64": "face_base_64",
  "liveness_tolerance": "REGULAR",
  "os": "DESKTOP",
  "password": "(optional) password",
  "purpose_id": "login:www.example.com",
  "senseprint_base_64": "senseprint_base_64",
  "verifiers_auth_key": "(optional) verifiers_auth_key"
}
```

The following summarizes the parameters for the request:

1. `data_sha256_base_64` - given a piece of data (bytes), it should then be SHA256 hashed to obtain 256 bits. The hash should then be Base64 encoded to send it to the API
2. `face_base_64` - the face of the SensePrint eID holder
3. `liveness_tolerance` (optional) - the tolerance of the liveness algorithm used to check for a live face before allowing the signing to proceed.
4. `os` (optional) - indicates the operating system the image was captured on. Valid values are `ANDROID` / `IOS` / `DESKTOP`.
5. `password` (optional) - the same password (if one was specified) that was used during the SensePrint generation.
6. `purpose_id` - a unique purpose ID. This should match the purpose ID that was used to generate the Face Certificate that will be used to verify the signature.
7. `senseprint_base_64` - the foundational SensePrint eID in raw form.
8. `verifiers_auth_key` (optional) - the same `verifiers_auth_key` (if one was specified) that was used during the SensePrint generation.