In addition to manual transaction signing and Workspace configuration approvals using a mobile device, you can automate signing and approvals with an API Co-signer. This is ideal for workspaces that handle high transaction volumes or frequent activity.

The API Co-signer is a customer-owned component that uses the MPC-CMP algorithm to take part in a multi-signer MPC process alongside a set of independent Co-signers operated by Fireblocks, known as Cloud Co-signers, each holding a private key share.

The API Co-signer holds two types of keys:

MPC key shares: Used to sign transactions that are associated with your Fireblocks Vaults and derived from the Owner's set of key shares.
Workspace configuration change keys: Used to approve configuration changes in your workspace, such as creating new wallets.

In addition to signing transactions, the API Co-signer can be configured to approve any of the following actions in a workspace:

Approving:
- Transactions
- New exchange accounts
- New fiat accounts
- New whitelisted addresses
- New Fireblocks Network connections
- New Console and API users
Modifying the Admin Quorum
Resetting a user’s signing device
Enabling one-time addresses in a workspace

The Co-signer is a component installed and hosted in your environment on a machine with enclave support. Enclaves create a secure runtime environment that isolates and protects data and code, even from privileged users. This trusted execution environment safeguards sensitive processes from unauthorized access and tampering.

Fireblocks offers several API Co-signer deployment options to suit different environments. You can deploy the Co-signer in the cloud or on-premises. These deployments leverage Intel SGX, AWS Nitro, and Google Cloud Confidential Space enclave technologies for protecting your key shares.

Note:

The following video discusses SGX Co-signers, but it applies to all types.

The API Co-signer connects to a workspace by pairing with at least one API user. Based on the API user's role, it gets linked to an MPC key share and/or a workspace configuration change key during pairing. A single API Co-signer can store and manage multiple API users and their associated signing and approval keys, even across different workspaces.

Additionally, you can configure each API user in the API Co-signer to interact with a customer-owned business logic server using the Callback Handler functionality. The Callback Handler connects the API Co-signer to a predefined HTTPS server you set up in your environment, which receives signing and approval requests for a specific API user, including the transaction data, before signing or approval. The Callback Handler server then returns a response indicating the action to take.

The Callback Handler feature is optional. By default, the API Co-signer is configured not to use it, and instead to automatically sign the transaction or approval request.

Deployment options

We offer several API Co-signer deployment options to suit different environments. You can deploy the Co-signer in the cloud or on-premises, ranging across cloud vendors who offer Intel SGX servers, AWS Nitro, and Google Cloud Confidential Space enclave technologies.

See API Co-signer deployment options and installation flow for further information.

You can deploy an API Co-signer in the following configurations:

Additional information

You can learn more about using the API Co-signer, its architecture, its role in the transaction flow and deployment options in the following articles.

To ensure business continuity and enhance performance during high-volume or frequent transaction automation, set up multiple API Co-signers in high-availability. This configuration supports both cloud and on-premises environments and can combine them for added flexibility.

Note:

Deployment options

Additional information

Related Articles