Tatum
Search…
Use KMS to Store Private Keys and Sign Transactions on Solana
Generate wallets, private keys, blockchain addresses, and sign transactions locally
In this guide, you will learn how to generate wallets, private keys, blockchain addresses, and sign transactions locally using Tatum Key Management System (KMS).
This guide shows how to start using KMS on Solana and similar blockchains.
KMS works on any supported blockchain such as Bitcoin.
This guide shows how to start using KMS on Solana and similar blockchains.
KMS works on any supported blockchain.

Process overview and prerequisites

Before you start, we recommend that your review the following sections:
You will work on the Bitcoin testnet.
With KMS installed, you will go through the following steps:
  1. 1.
    Generate a managed wallet
  2. 2.
    Send some test BTC to your new address
  3. 3.
    Enable daemon mode
  4. 4.
    Initiate a transaction and let KMS sign it
  5. 5.
    Get transaction details

Step 1 - Generate a managed wallet

To generate a wallet that is managed by the KMS, use the generatemanagedwallet command in CLI mode.
Request
tatum-kms --path=wallet.dat --testnet generatemanagedwallet SOL
Enter password to access wallet storage:*****ta
When you first use KMS, you will be prompted to enter a password to encrypt your data. This password is created the first time you enter it, and you should store it in a safe place.
The wallet storage is encrypted with an AEC cipher and is stored on your local server. The password you provide is used to encrypt the mnemonics and private keys inside. If you lose your password, you will lose access to your mnemonics.
Response
The response contains your wallet mnemonic's signature ID as the first parameter:
{
"xxx-59be-4792-81c5-yyy": {
"mnemonic": "list of long words",
"xpub": "tpubBCDEF",
"chain": "SOL",
"testnet": true
}
}

Step 3 - Enable daemon mode

Daemon mode is essentially KMS running in the background and listening for pending transactions to sign and broadcast them.
  • Transactions are identified by your API key.
  • You can filter transactions by blockchain.
To enable daemon mode, enter the following code on your local server:
tatum-kms daemon --path=wallet.dat --testnet --chain=SOL --api-key=your-testnet-api-key --period=10
You must enter the password to unlock the wallet storage. The password is required whenever you start the daemon or restart the daemon after it stopped.
By default, Tatum KMS checks for the pending transactions every 5 seconds using this API call. One API call consumes 1 credit from your monthly credit allowance.
You can change the frequency of the check using the period parameter.

Step 4 - Initiate a transaction and let KMS sign it

You can now send SOLs from your address to any other address with a a Solana-specific API call.
Instead of a privateKey (left), the call uses a signatureId field (right) that contains your signature ID:
As you can see, there is no private key or mnemonic anywhere in the KMS request, nor was any other sensitive information required.
KMS now detects a new pending transaction, signs it locally and sends the transaction to the blockchain. KMS must also mark the transaction as processed so that it will not be sent to the blockchain again.
When KMS picks up the pending transaction, it will output something like the following sample:
Processing pending transaction - {
"withdrawalId": null,
"chain": "SOL",
"serializedTransaction": "{\"hash\":\"81e62bdfbfc7bcb66c2a2f17335d033fd98b84c1188a7bb379a2dce9f1cda989\",\"version\":2,\"inputs\":[{\"prevTxId\":\"121702fd7acd1b2cca6bd19658009140730ba26ca67cd222c00f952a111e11f4\",\"outputIndex\":0,\"sequenceNumber\":4294967295,\"script\":\"\",\"scriptString\":\"\",\"output\":{\"satoshis\":2000,\"script\":\"76a914c8e668ee829837a2355c1e234a41f53f86b8156c88ac\"}}],\"outputs\":[{\"satoshis\":1000,\"script\":\"001487c70889f0a1d2f632d216a01472dde71f062aa7\"}],\"nLockTime\":0}",
"hashes": [
"b8eb99cd-ba04-4031-a65f-11d6420ebdd1"
],
"index": null,
"withdrawalResponses": null,
"id": "61fe7c68cf2fbc595cbb89dd"
}.

Step 5 - Get transaction details

Using the KMS transaction ID from the id field of the response to the previous request (61fe7c68cf2fbc595cbb89dd in the example above), you can now use the Get transaction details endpoint to acquire the details of the transaction you have just performed.
Request
curl --request GET
--url https://api-eu1.tatum.io/v3/kms/61fe7c68cf2fbc595cbb89dd
--header 'x-api-key: your-testnet-api-key-from-tatum'Example usage of the API with Tatum KMS
Response
The response will contain the details of your transaction:
{
"withdrawalId": null,
"chain": "SOL",
"serializedTransaction": "{\"hash\":\"81e62bdfbfc7bcb66c2a2f17335d033fd98b84c1188a7bb379a2dce9f1cda989\",\"version\":2,\"inputs\":[{\"prevTxId\":\"121702fd7acd1b2cca6bd19658009140730ba26ca67cd222c00f952a111e11f4\",\"outputIndex\":0,\"sequenceNumber\":4294967295,\"script\":\"\",\"scriptString\":\"\",\"output\":{\"satoshis\":2000,\"script\":\"76a914c8e668ee829837a2355c1e234a41f53f86b8156c88ac\"}}],\"outputs\":[{\"satoshis\":1000,\"script\":\"001487c70889f0a1d2f632d216a01472dde71f062aa7\"}],\"nLockTime\":0}",
"hashes": [
"b8eb99cd-ba04-4031-a65f-11d6420ebdd1"
],
"index": null,
"withdrawalResponses": null,
"txId": "f7572ef070d381612b7594940cc73ec008e796b37a73ff031f3855d2a23c9ade",
"id": "61fe7c68cf2fbc595cbb89dd"
The response contains a Bitcoin transaction ID in the txId field (f7572ef070d381612b7594940cc73ec008e796b37a73ff031f3855d2a23c9ade in the example above), which you can use to view the blockchain transaction in any Bitcoin blockchain explorer.