Fireblocks Agent is an open-source on-prem service written in Typescript which is responsible for receiving new messages to sign from Fireblocks, relay these messages to the client's HSM and return the signed result back to Fireblocks.
- Make sure you have nvm on your machine. To check, run
nvm
in a terminal. - To installnvm
: - On mac runbrew install nvm
- Linux, follow these instructions
git clone https://github.com/fireblocks/fireblocks-agent.git
cd fireblocks-agent
nvm use
- install dependencies
npm i
-
Build and run example customer server docker:
cd examples/server
npm run build:docker
npm run start:docker
-
Configure and run Fireblocks agent:
-
Copy
.env.prod
and name it.env.{env-name}
(e.g..env.test
) -
Edit your newly created
.env.{env-name}
file with the right configuration -
Build the Fireblocks agent:
npm run build
-
Start the Fireblocks agent with your desired environment:
npm run start --env=env-name
The Fireblocks agent expect a configuration file (for production it's called .env.prod
) with several parameters:
MOBILE_GATEWAY_URL
- In production this value should behttps://mobile-api.fireblocks.io
CUSTOMER_SERVER_URL
- The client's custom server urlCUSTOMER_SERVER_PULL_CADENCE_MS
- Cadence of pulling messages statusCUSTOMER_SERVER_AUTHORIZATION
- If exists, the Fireblocks agent will send its value on theAuthorization
header for each request. The client can use it for authorizing the fireblocks agent or keep track on which agent is calling itSSL_CERT_PATH
- If exists, a path to a self-signed SSL certificate which will be used to validate the server certificate
The Fireblocks Key Link workspace consists of several components (aka actors). Each with its own responsibilities.
- Console - Fireblocks web console. Link
- Mobile App - Fireblocks mobile app.
- Mobile API Gateway - Fireblocks REST API Server. The Fireblocks agent communicates with this server in the registration flow and for receiving new messages.
- Developer API - Fireblocks back office server for workspace setup and configuration.
- Fireblocks Agent - An on-prem service written in Typescript which is responsible for receiving new messages to sign from Fireblocks, relay these messages to the client's HSM and return the signed result back to Fireblocks.
- Customer Server - The client's own server which receives messages to sign from the Fireblocks agent. Sign them via the client's HSM and provide the Fireblocks agent with the signed messages.
- HSM component - The actual HSM implementation. Can be on prem or a cloud based HSM, or a different Key Management System.
The customer server is a component that should be written by the client according to the client's connection to the HSM component. The server is expected to implement the following OpenAPI spec.
In general, it should support signing messages according to ECDSA
and EdDSA
algorithms and return the status for given messages.
We provide an example of such a server in examples/server
with an integration to a software implementation of an HSM called softHSM
The entry point for the server can be found here
This procedure should happen once. Fireblocks will need a validator key to approve new signing keys. This flow is done via the Fireblocks sdk and not via this program.
Each signing key should be first converted into a certificate which should be signed by an active validator key. The signed certificates are then regsitered to Fireblocks via the API or the Console.