Set up an API Signer

The standard method of creating and signing transactions uses the Fordefi web and mobile interfaces. See Fordefi web console and Fordefi web browser extension.

You can also create and sign transactions programmatically. With this method, customers maintain self custody of their private keys by running Fordefi's API Signer on their own network or cloud environment.

• Similarly to the mobile app, the API Signer holds the first of two MPC shares for each private key and participates in the MPC signature protocol.
• Unlike the mobile app, the API Signer does not require human intervention to sign a transaction.

The process is illustrated here:

Deployment options

Depending on your needs, use one of the following options:

• Deploy it as a standalone dockerized application. This option is most useful for use on a "bare metal" server, or virtual machine. Learn more.
• Deploy it as a Kubernetes application and distribute it using Helm Chart. Learn more.

Minimum requirements for virtual machines are 0.5vCPU per 1GB memory.

Deployment tips

Here are some known issues and workarounds while you configure your API signer:

Networking best practices for deployment

• Block all ingress traffic

  Block all ingress traffic to your Signer. API Signer only needs egress access to api.fordefi.com.
  You can verify the endpoint using:

  nslookup api.fordefi.com

• Using AWS?

  To further restrict egress traffic, you can set up a VPC-to-VPC PrivateLink with us.
  Our endpoint: com.amazonaws.vpce.us-east-1.vpce-svc-05d9488e431a4ceb5

• Are you experiencing latency?

  Locate your Signer in the us-east-1 server, where the Fordefi backend is also located.

Can an organization have more than one API Signer?

• Each organization is limited to one API Signer.
• However, you can register unlimited API Users with that Signer, as long as they are part of the same organization.
• If you need a second API Signer, you'll need to create a separate organization with its own set of API Users.