# Set up an API Signer

The standard method of creating and signing transactions uses the Fordefi web and mobile interfaces. See [Fordefi web console](/user-guide/welcome/product-interfaces#fordefi-web-console) and [Fordefi web browser extension](/user-guide/welcome/product-interfaces#fordefi-web-browser-extension-to-connect-securely-with-dapps).

You can also create and sign transactions *programmatically*. With this method, customers maintain self custody of their private keys by running Fordefi's API Signer on their own network or cloud environment.

- Similarly to the mobile app, the API Signer holds the first of two MPC shares for each private key and participates in the MPC signature protocol.
- Unlike the mobile app, the API Signer does not require human intervention to sign a transaction.


The process is illustrated here:

alt
## Deployment options

Depending on your needs, use one of the following options:

- Deploy it as a standalone dockerized application. This option is most useful for use on a "bare metal" server, or virtual machine. [Learn more](/developers/getting-started/set-up-an-api-signer/install-the-api-signer).
- Deploy it as a Kubernetes application and distribute it using Helm Chart. [Learn more](/developers/getting-started/set-up-an-api-signer/deploy-api-signer-kubernetes-helm-chart).


Minimum requirements for virtual machines are 0.5vCPU per 1GB memory.

Activate the API Signer
Once you have deployed the Fordefi docker image, make sure you [activate it](/developers/getting-started/set-up-an-api-signer/activate-api-signer).

## Deployment tips

Here are some known issues and workarounds while you configure your API signer:

### Networking best practices for deployment

- Block all ingress traffic
Block all ingress traffic to your Signer. API Signer only needs egress access to `api.fordefi.com`.
You can verify the endpoint using:

```bash
nslookup api.fordefi.com
```
- Using AWS?
To further restrict egress traffic, you can set up a VPC-to-VPC PrivateLink with us.
Our endpoint:
`com.amazonaws.vpce.us-east-1.vpce-svc-05d9488e431a4ceb5`
- Are you experiencing latency?
Locate your Signer in the `us-east-1` server, where the Fordefi backend is also located.


### Can an organization have more than one API Signer?

- Each organization is limited to *one API Signer*.
- However, you can register *unlimited API Users* with that Signer, as long as they are part of the same organization.
- If you need a second API Signer, you'll need to create a *separate organization* with its own set of API Users.