Signing Transactions Over REST API

Tatum provides the ability to sign and broadcast blockchain transactions via REST API endpoints. However, transmitting private keys or mnemonics through an API request is inherently insecure and can result in the loss of funds.

Security Considerations

Using private keys or mnemonics over the REST API presents several risks:

  • Key Exposure: Data transmitted via REST API can be intercepted or leaked due to insecure storage, logging, or compromised network connections on the user’s side.
  • Logging Risks: If API requests are logged at any point within the user’s system, mnemonics and private keys may be exposed.
  • Unauthorized Access: Any party with access to a mnemonic or private key can take full control of the associated wallet and its assets.

📘

Note:

Tatum does not store or log private keys or mnemonics. However, improper key handling on the user’s side remains a security risk.


Secure Alternatives for Signing Transactions

Tatum Key Management System (KMS)

Tatum KMS is a self-hosted signing solution that enhances the security of mnemonics and private keys:

  • Transactions are signed locally, and only the signed payload is transmitted.
  • The source code is publicly available for audit. More details are available in this article.

Local Signing and JSON-RPC Broadcasting

  • Users can sign transactions within their own environment and broadcast them using standard JSON-RPC methods.
  • Tatum list of supported blockchains can be found in this article.

Important Information

  • Tatum does not log, store, or retain private keys. More details are available in this article.
  • Users are responsible for securing their mnemonics and private keys.
  • Tatum assumes no liability for any loss resulting from private key exposure or misuse. More details are available in this article.
  • Tatum is SOC 2 compliant and follows strict security standards. More details are available in this article.