Overview and prerequisites
To connect a new Co-signer to your workspace, pair it with an API user from the workspace. It is recommended to create a new API user for that purpose. The pairing process for the first API user requires admin-level access to the Fireblocks Console and the owner's availability to approve the necessary workspace configuration operations.
Pairing the Co-signer is performed using a JWT-encoded Pairing Token obtained from the Console for a specific API user. This pairing token is used during Co-signer installation to pair the initial API user, enabling communication with Fireblocks' SaaS. The Co-signer is identified exclusively by the workspace and the API user used to establish the connection.
During installation, you will use the following items you retrieve from the Fireblocks Console. Copy them to your clipboard for later use:
- The API user's pairing token
- The download link of the installation script that matches your Co-signer type: Intel SGX, AWS Nitro, or Google Cloud Confidential Space.
Step 1: Add a new API user
Add a new API user to the workspace using the Fireblocks APIs or the API Users tab in the Console's Developer Center. This API user will enable the Co-signer to connect to the workspace.
- Enter the name of the new API user (you can enter up to 30 characters)
- Select the role you want to assign to the API user
- Attach a CSR file
Note: While the Co-signer does not use the CSR file to connect to the workspace, you must still provide it. This is necessary because the API user can be used to make API calls.
Step 2: Add a new Co-signer to the workspace
Add a new Co-signer to the workspace using the Fireblocks Co-signer APIs or the Co-signers tab in the Console's Developer Center.
To add a new Co-signer to the workspace, click "Add co-signer" and follow the instructions:
- Enter the name of the new Co-signer
- Select "Install a new co-signer on the local machine" and press "Continue"
- Choose an available API user from the list (only API users not already paired with Co-signers will be displayed)
- Click "Add" to create a new Co-signer entry
The new Co-signer will now appear in the list of Co-signers in the Co-signers tab. It is not yet connected to the workspace, so it appears as offline. The connection will be established once you complete the installation process.
Step 3: Copy the API user's pairing token and the download link of the installation script
Click "Pair API User" in the new Co-signer's entry to open a dialog, and follow the instructions:
- Copy the API user's pairing token to your clipboard
In mainnet workspaces, the pairing token is valid for 1 hour - Copy the download link for the AWS Nitro Co-signer installation package (found under "Manual") to your clipboard
This link is valid for 7 days
Note: If you have any issues with finding or retrieving the download link of the Co-signer's installation script in the Console, contact Fireblocks Support.