All API requests that create a new transaction will accept either a secretPhrase or a publicKey parameter:
If secretPhrase is supplied, a transaction is created, signed at the server, and broadcast by the server as usual.
If only a publicKey parameter is supplied as a 64-digit (32-byte) hex string, the transaction will be prepared by the server and returned in the JSON response as transactionJSON without a signature. This JSON object along with secretPhrase can then be supplied to Sign Transaction as unsignedTransactionJSON and the resulting signed transactionJSON can then be supplied to Broadcast Transaction. This sequence allows for offline transaction signing so that secretPhrase never needs to be exposed.
unsignedTransactionBytes may be used instead of unsigned transactionJSON when there is no encrypted message. Messages to be encrypted require the secretPhrase for encryption and so cannot be included in unsignedTransactionBytes.