IMPORTANT NOTES:
- Note that this feature is opt-in, and is therefore not accessible by default to all customers. To enable it, submit a ticket to our Customer Success Manager.
- This article will be deprecated by February 28th, 2025. For all API Co-signer documentation, visit this overview article, which also links to updated Co-signer content in the Developer Portal.
Infrastructure
You should be capable of performing the below:
- Provision an EC2 machine using Amazon Linux AMI (HVM) - 2 Kernel 5.10.
- Create an IAM Role.
- Create and Edit keys under AWS Key Management Service.
If your user is restricted and you're not sure if you have access to the above, further read on AWS permissions.
Networking requirements
The API Co-Signer requires limited outbound access during setup and general operation. For more information, refer to the Nitro API Co-Signer networking requirements article.
API users
The API Co-Signer requires creating an initial user for the machine that is bound to the kernel during the initial server setup. An API user with signing permissions is required for general use and can be added using the API Co-Signer command line interface after setup. You can follow the instructions in the adding new API users article to set up an API user in the Fireblocks Console and retrieve the API key.
Callback handler (optional)
The callback handler processes transaction POST requests and responds back with an approval or rejection response. Some common uses for the callback handler are integrating user-facing apps with a Fireblocks workspace, or including market signals in the transaction approval process.
For more details on how to handle the response request and structure, refer to the API documentation.
Note
The HTTPS server for the callback handler is separate from the API Co-Signer and doesn’t need to reside inside an Nitro enclave. It can run on any HTTPS server using a cloud provider or on-premises.