Before system development, the workspace needs to complete the following preparations.

Create API

The workspace owner should log in to the ChainUp Console System and create an API on the API Management page.

About RSA Public Key

To ensure secure data transmission, ChainUp uses the RSA-2048 PKCS#8 key format for asymmetric encryption of API request and response data. The public key is used to decrypt request data and needs to be uploaded to ChainUp, while the private key is used to encrypt data and is configured by the client on the corresponding server and securely stored.

Explanation of RSA Public-Private Key Pairs

First pair of RSA public-private keys: After creating the API, ChainUp Custody will generate a default pair. The RSA public key will be provided to the developer for decrypting response parameters.

Second pair of RSA public-private keys: Generated by the developer, used for encrypting parameters before API requests from the client’s business system. The RSA public key is configured in ChainUp Custody for decrypting request parameters.

Third pair of RSA public-private keys: Generated by the developer, used by Co-Signer for encrypting parameters before API requests. The RSA public key is configured in ChainUp Custody for decrypting request parameters.

Fourth pair of RSA public-private keys (optional): Generated by the developer, mainly used for verifying transaction signatures when Co-Signer does not configure callback notifications. This pair of public-private keys is generated and saved by the client, and ChainUp Custody does not retain it.

In addition to encrypting interface data, the Co-Signer RSA public key is also involved in the encryption process of Co-Signer private key shares. For security reasons, it is recommended to set the Co-Signer RSA public key different from the business service RSA public key.

Co-Signer has a built-in command for generating RSA public-private keys, which is limited to Co-Signer’s use. Please refer to Co-Signer Deployment.

Callback Notifications

The system currently supports three types of callback services: Transaction Status Callback, Signature Callback, and Transaction Approval Callback.

  • Transaction Status Callback: ChainUp will notify the client of the latest status of an order when processing is completed (e.g. receiving, transfer orders). The client configures this callback address on the ChainUp platform on the Create API page under Transaction Status Notification Address.

  • Signature Callback: ChainUp will callback Co-Signer for signature operations when creating an address or generating private key shares for Co-Signer. The client configures this callback address on the ChainUp platform on the Create API page under Co-Signer Interface Address.

  • Transaction Approval Callback Address: Please refer to the Co-Signer callback.

Configure Co-Signer

Co-Signer is commonly used for automated signing of OpenAPI-initiated transactions and auto sweepimg transactions.

Co-Signer Server Selection

Co-Signer supports deployment on a regular server or supports SGX server. For security reasons, it is recommended to use a server with SGX support, preferably from Microsoft cloud services. View Co-Signer Server Configuration Requirements

Co-Signer Configuration

Co-Signer provides a callback handler, which is an optional component:

  • If configuring the callback handler(Security Level:⭐⭐⭐⭐⭐)

Co-Signer will perform a secondary review of transaction requests initiated by OpenAPI to the business server. Signing operations will only proceed when the business server’s review is successful.

Transactions like creating addresses, sweeping assets, and auto fueling will not trigger callbacks.

  • If not configuring the callback handler(Security Level:⭐⭐⭐⭐)

API Co-Signer will verify transaction signatures and sign all transaction requests initiated by OpenAPI.

Create Co-Signer Private Key Shares

After configuring API and Co-Signer programs, create private key shares for Co-Signer in the app.

The workspace owner can create Co-Signer private key shares on the MPC workspace Security - Co-Signer page. The created Co-Signer private key shares will be encrypted and synchronized to the Co-Signer server using the Co-Signer RSA public key configured by the client on the ChainUp platform.

Notes

Ensure that the APPID is in an enabled state when creating. Co-Signer services are normal.

If Co-Signer private key shares are lost or leaked, new private key shares can be refreshed or Co-Signer private key shares can be deleted. For security reasons, the original Co-Signer private key shares are not usable after refreshing or deleting.

Enable Auto Sweep

To enhance assets security and utilization, some networks need to be configured for auto sweep and auto fueling functions. ChainUp provides a set of auto sweep solutions for clients. The specific operation process is as follows:

Login to the ChainUp management platform and create it on the Co-Signer page;

  • workspace members (any role) set the sweeping assets to the omnibus wallet and gas station.

Only wallets displayed in the app can be selected. For efficient assets use, it is recommended to set the omnibus wallet and gas station to different wallets (due to the nature of single-execution transfer for account-type networks, if configured with the same wallet, the withdrawal transaction(transfer) will wait until the miner fee is supplemented when supplementing the miner fee for the address).

  • The workspace owner approves the signature in the app. Encrypt the set workspaces with the workspace’s private key to ensure the correct address for auto sweep.
  • workspace members (any role) configure wallet for auto sweep, applied scope for sweeping, assets for sweeping, auto fueling rules, and other information.

Applied Scope

Configure the wallets for which assets should be swept.

Auto Sweep Strategy

Configure the currencies for which assets should be swept, along with the sweeping threshold. Assets will be automatically triggered when the threshold is exceeded and the miner fee is set below the configured level. Users can customize the sweeping threshold and maximum miner fee through the Console or API.

Refueling Strategy

Configure the replenishment of miner fees for the auto sweep. Since sweeping operation requires the use of the main coin as a miner fee, when the token in the address meets the auto sweep strategy and the address does not have the main coin, replenishment of miner fees will be triggered from the refueling wallet to the address to be swept. The quantity of replenished miner fees can be customized, and it is essential to ensure that the replenished miner fee is lower than the sweeping threshold.

Once the strategy is configured, the system runs automatically, and users can view asset changes in the set workspace.

It is recommended for clients to configure insufficient miner fee alerts to replenish in a timely manner and avoid affecting user transfers (withdrawals).