WaaS SDK Private Key Security

The WaaS instructions, example RN app, and the SDK’s initMPCKeyService function all demonstrate storage and use of the cloud API private key in the mobile app.

However, the WaaS security instructions specifically state to:

Never embed API keys in a deployed code package (mobile or web).

What alternative methods are provided to initialize the MPC Key Service for a device without storing the API key locally in the device?


For the purposes of demonstration, we store the cloud API private key locally.

However, for a real application, the recommended way to store the API Key is via the Proxy Server. Proxy Server | Coinbase Cloud

We’ll update the documentation to make it more clear, thanks! We’ll be releasing a Proxy Server soon!

1 Like

Yes, the proxy server solves a portion of this problem, but the current setup still requires the device to have the API key locally when calling initMPCKeyService before bootstrapping the device. Either this device initialization needs to occur through the proxy server or that local private key needs to be a device-specific key for the MPC operation.

Hmm, you are right. Our docs are not consistent and we can do a better job with explaining this to our customers.

  1. Our guidance is to not store store API key on devices. Instead it should be securely stored on a proxy server and calls can be routed through the proxy server.
  2. initMPCKeyService is not a required method on the SDK, it is a convenience API to help customers bootstrap on the React Native SDK. You only need to call initMPCSdk and bootstrapDevice to initialize the Device, and use other methods documented (SDK APIs Overview | Coinbase Cloud) for computing MPCOperations. API key is not required by any of the methods documented in that list
  3. You do need an API key to invoke initKeyService. But that is only needed to invoke the convenience APIs like poll*. These are used by our demo app, but not expected to be used by customers who have a proxy server set up.

We’re actively working on re-clarifying the proxy server doc and we’ll include an example as well. Thanks for this feedback and let us know if this helps. If not, we will keep working with you until this works for your project.

  1. WaaS platform: Which cloud platform is WaaS referring to? Is it Google Cloud Platform (GCP), Amazon Web Services (AWS), or another platform?
  2. Example RN app 2: What is the purpose of this example app, and how does it use the MPC Key Service?
  3. SDK’s initMPCKeyService function 1: What are the arguments and expected behavior of this function?
  4. WaaS security instructions: Can you share the specific instructions related to storing API keys?
1 Like