Skip to main content

Authenticating the Callback Handler Response Object

When setting up the Callback Handler server for an API user paired with the Co-signer, you can choose between five options to secure the communication between them. This selection determines the payload structure of the POST request sent by the Co-signer to the Callback Handler server. It also defines how the request is authenticated by the Callback Handler. More details are provided below.

Option 1: Public key authentication

In this option, the Co-signer and the Callback Handler exchange JSON Web Token (JWT) encoded messages, each signed with their respective private keys. The Co-signer’s POST request to the Callback Handler server and the Callback Handler’s response to the Co-signer are authenticated using their corresponding public keys.

JWT-encoded signed request

  • The Co-signer, acting as a client of the Callback Handler server, sends a POST request and uses its private key to sign the JWT-encoded message.
  • The Callback Handler uses the Co-signer’s public key to authenticate the message and ensure it originated from the Co-signer.
  • You can retrieve the Co-signer’s public key directly from the Co-signer (see the guides).
Note: The same Co-signer private key is used to sign request messages sent to the Callback Handler server for all API users paired with this Co-signer.

JWT-encoded signed response

  • The Callback Handler responds with a JWT-encoded message signed with its private key.
  • The Co-signer uses the Callback Handler’s public key to authenticate the message and ensure it originated from it.
  • You provide the API user’s Callback Handler public key to the Co-signer during installation or while configuring the Callback Handler for that API user. This public key corresponds to the private key used by the Callback Handler to sign JWT-encoded response messages.
Follow these steps to generate a private-public key pair for signing JWT-encoded responses. This allows the Co-signer to authenticate your Callback Handler’s responses using the corresponding public key:
  1. Generate a private key using the following command:
openssl genrsa -out callback_private.pem 2048
Note: Only RSA 2048 bit keys are supported for public key Callback Handler response authentication.
  1. Export the public key from the previously generated private key using the following command:
openssl rsa -in callback_private.pem -outform PEM -pubout -out callback_public.pem
  1. Use this public key to configure the Co-signer’s Callback Handler for the specified API user.
  2. Set up the Callback Handler as an HTTPS server using a certificate signed by a trusted Certificate Authority (CA). Configure the Callback Handler endpoints to include a /v2 prefix in their URLs:
https://your_callback_base_url/v2/tx_sign_request or https://your_callback_base_url/v2/config_change_sign_request

Communication channel security

TLS communication between the Co-signer and the Callback Handler server requires the Callback Handler to operate as an HTTPS server with a certificate signed by a trusted Certificate Authority (CA).

Option 2: Self-Signed Certificate-based communication (Certificate pinning)

In this option, a self-signed certificate or a certificate signed by a trusted Certificate Authority (CA) is used to establish certificate-pinning-based secure communication between the Co-signer and the Callback Handler. TLS certificate authentication occurs during SSL negotiation and is based on the certificate you provide to the Co-signer. The certificate is provided to the Co-signer during installation or while configuring the Callback Handler for a specific API user. In this setup, both the Co-signer’s POST request to the Callback Handler server and the server’s response are in JSON format, instead of using signed JWTs. Create a certificate and sign it yourself or have it signed by a trusted CA; set up an HTTPS server and configure your Callback Handler endpoints to respond to requests that do not include a /v2 prefix:
https://your_callback_base_url/tx_sign_request or https://your_callback_base_url/config_change_sign_request

Option 3: Root-CA Certificate-based communication

Note: This feature requires Co-signers version 2025.12.11 or newer.
In this option, a Root-CA certificate is used to establish certificate-based secure communication between the Co-signer and the Callback Handler. TLS certificate authentication occurs during SSL negotiation and is based on the Root-CA certificate you provide to the Co-signer. The Root-CA certificate is provided to the Co-signer during installation or while configuring the Callback Handler for a specific API user. A certificate that was signed by the Root-CA needs to be provided to the Co-signer by the Callback Handler during the TLS certificate authentication. In this setup, both the Co-signer’s POST request to the Callback Handler server and the server’s response are in JSON format, instead of using signed JWTs. Create a certificate and have it signed by the Root-CA; set up an HTTPS server and configure your Callback Handler endpoints to respond to requests that do not include a /v2 prefix:
https://your_callback_base_url/tx_sign_request or https://your_callback_base_url/config_change_sign_request

Option 4: Hybrid - Public key authentication with certificate pinning

Note: This feature requires Co-signer version 2025.12.11 or newer and is currently supported only by the SGX cosigner.
This hybrid option combines the message-level security of Option 1(public key authentication) with the transport-level security of Option 2 (certificate pinning). In this configuration:
  • TLS Layer: The secure TLS connection is established using certificate pinning with a self-signed certificate or a certificate signed by a trusted Certificate Authority (CA), as described in Option 2.
  • Message Layer: Communication messages are exchanged as JWT-encoded messages signed with private keys, exactly as described in Option 1.
This approach provides dual-layer security:
  1. The TLS handshake authenticates the Callback Handler server using the pinned certificate
  2. The JWT signatures authenticate individual messages using public key cryptography

Configuration steps:

  1. Create a certificate and sign it yourself or have it signed by a trusted CA
  2. Provide the certificate to the Co-signer during installation or while configuring the Callback Handler for the specific API user
  3. Generate and configure JWT signing keys as described in Option 1:
    1. Generate a private-public key pair for the Callback Handler
    2. Provide the public key to the Co-signer for JWT verification
  4. Configure your Callback Handler endpoints to include a /v2 prefix (as in Option 1):
    https://your_callback_base_url/v2/tx_sign_request or https://your_callback_base_url/v2/config_change_sign_request
  5. Implement your Callback Handler to:
    1. Accept JWT-encoded requests from the Co-signer
    2. Respond with JWT-encoded messages signed with your private key

Option 5: Hybrid - Public key authentication with Root-CA certificate

Note: This feature requires Co-signer version 2025.12.11 or newer and is currently supported only by the SGX cosigner.
This hybrid option combines the message-level security of Option 1(public key authentication) with the transport-level security of Option 3 (Root-CA certificate validation). In this configuration:
  • TLS Layer: The secure TLS connection is established using Root-CA certificate validation, as described in Option 3.
  • Message Layer: Communication messages are exchanged as JWT-encoded messages signed with private keys, exactly as described in Option 1.
This approach provides dual-layer security:
  1. The TLS handshake authenticates the Callback Handler server using Root-CA certificate validation
  2. The JWT signatures authenticate individual messages using public key cryptography

Configuration steps:

  1. Create a certificate and have it signed by your Root-CA
  2. Provide the Root-CA certificate to the Co-signer during installation or while configuring the Callback Handler for the specific API user
  3. Generate and configure JWT signing keys as described in Option 1:
    1. Generate a private-public key pair for the Callback Handler
    2. Provide the public key to the Co-signer for JWT verification
  4. Configure your Callback Handler endpoints to include a /v2 prefix (as in Option 1):
    https://your_callback_base_url/v2/tx_sign_request or https://your_callback_base_url/v2/config_change_sign_request
  5. Implement your Callback Handler to:
    1. Accept JWT-encoded requests from the Co-signer
    2. Respond with JWT-encoded messages signed with your private key
Note: When adding the Callback Handler URL to the Co-signer, you should pass only the base URL + custom relative path. The /v2/tx_sign_request or /v2/config_change_sign_request relative paths will be automatically added upon each request made by the Co-signer. For example if you exposed the Callback Handler URL in the following path: https://subdomain.example.com/fireblocks/callback_handler/v2/tx_sign_request You should configure the following URL in the Co-signer: https://subdomain.example.com/fireblocks/callback_handler