The WaaS instructions, example RN app, and the SDK’s initMPCKeyService function all demonstrate storage and use of the cloud API private key in the mobile app.
However, the WaaS security instructions specifically state to:
Never embed API keys in a deployed code package (mobile or web).
What alternative methods are provided to initialize the MPC Key Service for a device without storing the API key locally in the device?
For the purposes of demonstration, we store the cloud API private key locally.
However, for a real application, the recommended way to store the API Key is via the Proxy Server. Proxy Server | Coinbase Cloud
We’ll update the documentation to make it more clear, thanks! We’ll be releasing a Proxy Server soon!
Yes, the proxy server solves a portion of this problem, but the current setup still requires the device to have the API key locally when calling initMPCKeyService before bootstrapping the device. Either this device initialization needs to occur through the proxy server or that local private key needs to be a device-specific key for the MPC operation.
Hmm, you are right. Our docs are not consistent and we can do a better job with explaining this to our customers.
initMPCSdk and bootstrapDevice to initialize the Device, and use other methods documented (SDK APIs Overview | Coinbase Cloud) for computing MPCOperations. API key is not required by any of the methods documented in that listinitKeyService. But that is only needed to invoke the convenience APIs like poll*. These are used by our demo app, but not expected to be used by customers who have a proxy server set up.We’re actively working on re-clarifying the proxy server doc and we’ll include an example as well. Thanks for this feedback and let us know if this helps. If not, we will keep working with you until this works for your project.