POST returns a payloadToSign, and the signed retry returns the encrypted seed.
Generate a fresh P-256 client key pair specifically for the export. Send its clientPublicKey on both export requests, then decrypt encryptedWalletCredentials with the matching private key after the signed retry succeeds.
1
First call — receive the challenge
2
Client stamps the payload
Build a Grid wallet signature over
payloadToSign with an active session signing key on the account. Keep the export private key on the client; Grid will use the matching clientPublicKey from step 1 to seal the wallet credentials.3
Signed retry — receive the encrypted seed
4
Decrypt on the client
encryptedWalletCredentials is a signed wallet export envelope, not the base58check session-bundle format used by encryptedSessionSigningKey. Parse the envelope, verify dataSignature against enclaveQuorumPublic, decode the hex data JSON to get encappedPublic and ciphertext, then decrypt with the export private key that matches the clientPublicKey you sent on both export requests.The plaintext is a BIP-39 mnemonic (the wallet’s master seed).