The v2 Wallet API is secured by CDP’s Trusted Execution Environment (TEE) - a highly isolated compute environment that is used for sensitive cryptographic operations such as private key generation and transaction signing. CDP uses AWS Nitro Enclaves to host the TEE. The TEE has no persistent storage, no interactive access, and no external networking, ensuring that even a root user or an admin user on the EC2 instance will not be able to access or SSH into the TEE. As such, all operations that take place in the TEE are not visible to CDP, AWS, or the outside world.

TEE architecture diagram

The following diagram demonstrates the architecture of the TEE:

How it works

  1. Incoming requests to the v2 Wallet API are authenticated with the developer’s Wallet Secret.
  2. After validating the request, it is forwarded to the TEE over VSOCK, which provides the only source of data flow to and from the TEE.
  3. The TEE performs sensitive operations, including verifying the wallet authentication signature, private key generation, and transaction signing. Account private keys are encrypted and decrypted inside of the enclave, and never leave the TEE. An encrypted version of the private keys are stored in CDP’s database, only accessible to the developer with the corresponding Wallet Secret.
  4. The resulting payload is sent back to the v2 Wallet API over VSOCK.
  5. The v2 Wallet API returns the result to the client.

Wallet Secrets

Wallet Secrets are used to authenticate requests to the v2 Wallet API. They are secp256r1 ECDSA asymmetric private keys that are used to sign and verify requests to the v2 Wallet API. Read more about using Wallet Secrets in our v2 API Reference documentation.
Create a Wallet SecretConfigure your Wallet Secret in the Wallet API page of the CDP Portal.
Wallet Secret configuration is currently a one-time operation. Once configured, the Wallet Secret cannot be changed. In the future, the CDP will allow you to rotate your Wallet Secret.