Skip to main content
Skip this page if you only need manual transaction approval via the MPCVault app. The client signer is only required for automated signing.
The client signer is a Docker container that:
  1. Maintains a secure connection to MPCVault
  2. Receives signing callbacks when you call ExecuteSigningRequests
  3. Approves transactions based on your callback server’s response

Prerequisites

  • Docker (or Docker Compose) installed
  • A server with a stable internet connection
  • A callback endpoint on your backend to receive and approve signing requests
  • An API user already created

Step 1: Generate an Ed25519 Key Pair

The client signer authenticates with MPCVault using an Ed25519 key pair. Generate one locally:
The public key looks like:
No password: The key must not have a passphrase for the client signer to use it automatically.

Step 2: Register the Client Signer in Your Vault

  1. Go to console.mpcvault.com
  2. Navigate to your vault’s Team & policies page
  3. Click + New Client Signer
Add Client Signer
  1. Enter the information:
  1. Click ContinueConfirm to create a signing request
  2. Approve the Vault setting update request in the MPCVault app

Step 3: Grant Key Access

After creating the client signer, MPCVault automatically creates a Key grant access signing request. This grants the client signer permission to participate in MPC signing. Approve this request in the MPCVault app to complete setup.
One signer per vault: Each vault requires its own client signer. You cannot reuse the same signer across multiple vaults.

Step 4: Create the Configuration File

Create config.yml with your settings:
Configuration reference:

Step 5: Run the Client Signer

Option A: Docker Run (Development)

Create docker-compose.yml:
Start with:

Verify it’s running

Step 6: Implement Your Callback Handler

When you call ExecuteSigningRequests, MPCVault sends a callback to your callback-url. Your server must:
  1. Receive the callback (POST request with protobuf body)
  2. Validate the signing request against your business rules
  3. Return HTTP 200 to approve, or 4xx/5xx to reject
Example callback handler (Node.js/Express):
Security: Your callback endpoint should validate requests and implement appropriate access controls. Consider using request signing or IP whitelisting.

Docker Networking

host.docker.internal is a special DNS name that resolves to the host machine from inside a Docker container. It works on Docker Desktop (Mac/Windows) and recent Docker Engine versions on Linux.

How Signing Works

When you call ExecuteSigningRequests:

Troubleshooting

Useful Commands