BitGo · lokesh-bitgo · Nov 11, 2025 · Nov 11, 2025
@@ -539,7 +539,7 @@ export async function handleV2Sign(req: ExpressApiRouteRequest<'express.v2.coin.
 }
 
 export async function handleV2OFCSignPayloadInExtSigningMode(
-  req: express.Request
+  req: ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>
 ): Promise<{ payload: string; signature: string }> {
   const walletId = req.body.walletId;
   const payload = req.body.payload;
@@ -1741,12 +1741,10 @@ export function setupSigningRoutes(app: express.Application, config: Config): vo
     prepareBitGo(config),
     promiseWrapper(handleV2GenerateShareTSS)
   );
-  app.post(
-    `/api/v2/ofc/signPayload`,
-    parseBody,
+  router.post('express.v2.ofc.extSignPayload', [
     prepareBitGo(config),
-    promiseWrapper(handleV2OFCSignPayloadInExtSigningMode)
-  );
+    typedPromiseWrapper(handleV2OFCSignPayloadInExtSigningMode),
+  ]);
 }
 
 export function setupLightningSignerNodeRoutes(app: express.Application, config: Config): void {

@@ -39,6 +39,7 @@ import { PostConsolidateUnspents } from './v2/consolidateunspents';
 import { PostPrebuildAndSignTransaction } from './v2/prebuildAndSignTransaction';
 import { PostCoinSign } from './v2/coinSign';
 import { PostSendCoins } from './v2/sendCoins';
+import { PostOfcExtSignPayload } from './v2/ofcExtSignPayload';
 
 // Too large types can cause the following error
 //
@@ -227,6 +228,9 @@ export const ExpressExternalSigningApiSpec = apiSpec({
   'express.v2.coin.sign': {
     post: PostCoinSign,
   },
+  'express.v2.ofc.extSignPayload': {
+    post: PostOfcExtSignPayload,
+  },
 });
 
 export const ExpressWalletSigningApiSpec = apiSpec({

@@ -0,0 +1,36 @@
+import { httpRoute, httpRequest } from '@api-ts/io-ts-http';
+import { OfcSignPayloadBody, OfcSignPayloadResponse } from './ofcSignPayload';
+
+/**
+ * Sign an arbitrary payload using an OFC trading account key (External Signing Mode).
+ *
+ * This endpoint is used when BitGo Express is running in external signing mode,
+ * where private keys are stored in an encrypted file on the filesystem rather than
+ * being fetched from the BitGo API.
+ *
+ * The request and response structure is identical to the regular OFC sign payload endpoint,
+ * but the implementation reads the encrypted private key from a local file specified by
+ * the `signerFileSystemPath` configuration.
+ *
+ * **External Signing Mode Requirements**:
+ * - `signerFileSystemPath` must be configured in Express config
+ * - Encrypted private keys must be available in the file system
+ * - Wallet passphrase must be provided via request body or environment variable
+ *
+ * **Flow**:
+ * 1. Reads encrypted private key from filesystem
+ * 2. Decrypts private key using wallet passphrase
+ * 3. Signs the payload with the decrypted key
+ * 4. Returns signed payload and hex-encoded signature
+ *
+ * @operationId express.v2.ofc.extSignPayload
+ * @tag express
+ */
+export const PostOfcExtSignPayload = httpRoute({
+  path: '/api/v2/ofc/signPayload',
+  method: 'POST',
+  request: httpRequest({
+    body: OfcSignPayloadBody,
+  }),
+  response: OfcSignPayloadResponse,
+});
@@ -3,7 +3,6 @@ import 'should-http';
 import 'should-sinon';
 import 'should';
 import * as fs from 'fs';
-import { Request } from 'express';
 import { BitGo, Coin, BaseCoin, Wallet, Wallets } from 'bitgo';
 import '../../lib/asserts';
 import { handleV2OFCSignPayload, handleV2OFCSignPayloadInExtSigningMode } from '../../../src/clientRoutes';
@@ -158,10 +157,14 @@ describe('With the handler to sign an arbitrary payload in external signing mode
         walletId,
         payload,
       },
+      decoded: {
+        walletId,
+        payload,
+      },
       config: {
         signerFileSystemPath: 'signerFileSystemPath',
       },
-    } as unknown as Request;
+    } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
     await handleV2OFCSignPayloadInExtSigningMode(req).should.be.resolvedWith(expectedResponse);
     readFileStub.should.be.calledOnceWith('signerFileSystemPath');
@@ -195,10 +198,15 @@ describe('With the handler to sign an arbitrary payload in external signing mode
         payload,
         walletPassphrase: walletPassword,
       },
+      decoded: {
+        walletId,
+        payload,
+        walletPassphrase: walletPassword,
+      },
       config: {
         signerFileSystemPath: 'signerFileSystemPath',
       },
-    } as unknown as Request;
+    } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
     await handleV2OFCSignPayloadInExtSigningMode(req).should.be.resolvedWith(expectedResponse);
     readFileStub.should.be.calledOnceWith('signerFileSystemPath');
@@ -233,10 +241,15 @@ describe('With the handler to sign an arbitrary payload in external signing mode
         payload,
         walletPassphrase: walletPassword,
       },
+      decoded: {
+        walletId,
+        payload,
+        walletPassphrase: walletPassword,
+      },
       config: {
         signerFileSystemPath: 'signerFileSystemPath',
       },
-    } as unknown as Request;
+    } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
     await handleV2OFCSignPayloadInExtSigningMode(req).should.be.resolvedWith(expectedResponse);
     readFileStub.should.be.calledOnceWith('signerFileSystemPath');
@@ -260,7 +273,11 @@ describe('With the handler to sign an arbitrary payload in external signing mode
           walletId,
           payload,
         },
-      } as unknown as Request;
+        decoded: {
+          walletId,
+          payload,
+        },
+      } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
       await handleV2OFCSignPayloadInExtSigningMode(req).should.be.rejectedWith(
         'Could not find wallet passphrase WALLET_61f039aad587c2000745c687373e0fa9_PASSPHRASE in environment'
@@ -278,10 +295,14 @@ describe('With the handler to sign an arbitrary payload in external signing mode
           walletId,
           payload,
         },
+        decoded: {
+          walletId,
+          payload,
+        },
         config: {
           signerFileSystemPath: undefined,
         },
-      } as unknown as Request;
+      } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
       await handleV2OFCSignPayloadInExtSigningMode(req).should.be.rejectedWith(
         'Missing required configuration: signerFileSystemPath'
@@ -301,10 +322,14 @@ describe('With the handler to sign an arbitrary payload in external signing mode
           walletId,
           payload,
         },
+        decoded: {
+          walletId,
+          payload,
+        },
         config: {
           signerFileSystemPath: 'signerFileSystemPath',
         },
-      } as unknown as Request;
+      } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
       await handleV2OFCSignPayloadInExtSigningMode(req).should.be.rejectedWith(
         "Error when trying to decrypt private key: INVALID: json decode: this isn't json!"
@@ -326,10 +351,14 @@ describe('With the handler to sign an arbitrary payload in external signing mode
           walletId,
           payload,
         },
+        decoded: {
+          walletId,
+          payload,
+        },
         config: {
           signerFileSystemPath: 'signerFileSystemPath',
         },
-      } as unknown as Request;
+      } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
       await handleV2OFCSignPayloadInExtSigningMode(req).should.be.rejectedWith(
         "Error when trying to decrypt private key: CORRUPT: password error - ccm: tag doesn't match"
@@ -349,10 +378,15 @@ describe('With the handler to sign an arbitrary payload in external signing mode
           payload,
           walletPassphrase: 'invalidPassphrase',
         },
+        decoded: {
+          walletId,
+          payload,
+          walletPassphrase: 'invalidPassphrase',
+        },
         config: {
           signerFileSystemPath: 'signerFileSystemPath',
         },
-      } as unknown as Request;
+      } as unknown as ExpressApiRouteRequest<'express.v2.ofc.extSignPayload', 'post'>;
 
       await handleV2OFCSignPayloadInExtSigningMode(req).should.be.rejectedWith(
         "Error when trying to decrypt private key: CORRUPT: password error - ccm: tag doesn't match"