API Reference

Cloud Signer (KMS)

Sign transactions locally.

We offer a cutting-edge Key Management Server (KMS) that ensures total ownership and control of private keys for all assets in custody. Our KMS guarantees that Finrock’s backend servers cannot access any private keys, Mnemonic Phrases, or wallet seeds at any time.

Hosted on the client’s infrastructure, preferably within environments like AWS or Azure, the KMS performs all signing tasks securely. This setup ensures that private keys remain within the client’s controlled environment, never exposing them externally. This provides an uncompromised level of security for asset management and transactions.

EGRESS ONLY

The server or the VM where KMS is deployed must allow outbound traffic exclusively, any INGRESS (inbound) traffic must be blocked for all IPs (LAN, MAN, WAN).

The Offline Signer (KMS) is available as a docker container via Docker Hub

docker pull finrock/ng-signer

GUI Mode (ephemeral container)

Use this mode to generate or recover private keys, config files, and key shards. 

docker run -p 8080:8080 --name finrock finrock/ng-signer

docker run -p 8080:8080 -v "$(pwd)"/config.json:/usr/src/app/config.json:ro finrock/ng-signer 

docker run -p 8080:8080 -e FINROCK_SIGNER_ID='<<value>>' --name finrock finrock/ng-signer

Open browser and visit http://localhost:8080


Service Mode (detached container)

Use this mode to sign transactions. The software runs as a service and must be supplied with the following values, either as Environment variables or a Config file mounted to the docker container.

Title (Environment Variable)Example Value
FINROCK_MNEMONIC_PHRASE12 words phrase (e.g. crunch polar snow culture youth adjust diary object suspect track chronic awake)
FINROCK_PRV_KEY-----BEGIN PRIVATE KEY----- MIIJQwIBADANBgkqhkiG9w0BAQEFAASCCS0wggkpAgEAAoICAQDfaGCbJadJnXTS CUKDhsRUn73N5SkBYbE1qnkuL/eCMMg= -----END PRIVATE KEY-----
FINROCK_SIGNER_IDA unique ID value (shared with the Owner during the onboarding

Running with [docker run] command

Use the following command when you have theconfig.json file, the command mounts the file into the docker container with read-only privileges. 

docker run -d --restart always --name finrock -v "$(pwd)"/config.json:/usr/src/app/config.json:ro finrock/ng-signer

{
  "signer_id": "a-b-c-d-e",
  "private_key": "xxx---xxx",
  "mnemonic": "crunch polar snow culture youth adjust diary object suspect track chronic awake"
}

Running as [docker-compose]

version: '3'
services:
  signer:
    image: finrock/signer
    container_name: finrock
    restart: always
    environment:
      - FINROCK_MNEMONIC_PHRASE=
      - FINROCK_PRV_KEY=
      - FINROCK_PUB_KEY=
      - FINROCK_SIGNER_ID=

Removing Signer

docker rm finrock -f