Develop & Integrate
Explore & DesignDevelop & IntegrateEmbedded Wallet GuidesChangelogCommunityStatusRequest Demo

Add a New Co-signer to the Workspace

Overview and prerequisites

To connect a new Co-signer to your workspace, pair it with an API user from the workspace. It is recommended to create a new API user for that purpose. The pairing process for the first API user requires admin-level access to the Fireblocks Console and the owner's availability to approve the necessary workspace configuration operations.

Pairing the Co-signer is performed using a JWT-encoded Pairing Token obtained from the Console for a specific API user. This pairing token is used during Co-signer installation to pair the initial API user, enabling communication with Fireblocks' SaaS. The Co-signer is identified exclusively by the workspace and the API user used to establish the connection.

During installation, you will use the following items you retrieve from the Fireblocks Console. Copy them to your clipboard for later use:

  • The API user's pairing token
  • The download link of the installation script that matches your Co-signer type: Intel SGX, AWS Nitro, or Google Cloud Confidential Space.

Step 1: Add a new API user and choose the Co-signer type

Add a new API user to the workspace using the Fireblocks APIs or the API Users tab in the Console's Developer Center. This API user will enable the Co-signer to connect to the workspace.

  • Enter the name of the new API user (you can enter up to 30 characters)
  • Select the role you want to assign to the API user
  • Attach a CSR file

Note: While the Co-signer does not use the CSR file to connect to the workspace, you must still provide it. This is necessary because the API user can be used to make API calls.


Co-Signer Setup

  • Choose the Proprietary SGX machine option.
    Choose this option even if you plan to install a different Co-signer type (e.g., AWS Nitro or GCP Confidential Space).
  • If you are in your testnet workspace, you can also choose the Fireblocks Communal Test Co-Signer option to automatically connect the API user to the Fireblocks Communal Test Co-signer.

First user on this machine (this only applies to SGX Co-signers)

  • If you plan to use the API user to install a new SGX Co-signer, select this checkbox.
  • Otherwise, leave it empty.

Step 2: Copy the API user's pairing token

Navigate to the Users tab within Settings, and find the newly added API user. Click Pending setup from the context menu and copy the API user's pairing token to your clipboard.

Note: In mainnet workspaces, the pairing token is valid for 1 hour.


Step 3: Copy the download link of the Co-signer's installation script

Navigate to the Co-signers tab within the Developer Center and click Learn about co-signers. Use the provided copy buttons to copy the download link for the Co-signer's installation script to your clipboard.

If you have any issues with finding or retrieving the download link of the Co-signer's installation script in the Console, contact Fireblocks Support.