Wallet operations
Co-Signer
The Co-Signer is the client-run component that participates in MPC signing.
It is designed so you keep a key share and enforce your own approval policy before a withdrawal or transfer is signed.
Role in the architecture
BroSettlement coordinates wallet operations and signing sessions, but the normal signing path requires client-side participation.
The Co-Signer:
- Runs in your own cloud, VPC, or controlled environment.
- Holds the client key share.
- Authenticates to BroSettlement using API credentials.
- Participates in MPC signing sessions.
- Applies your signing policy before approving signing participation.
Signing flow
- Create a transaction intent
Your backend requests a withdrawal or transfer through the BroSettlement API.
- Evaluate client policy
Your systems check destination, amount, asset, user role, time window, and approval requirements.
- Start MPC signing
BroSettlement coordinates a signing session with the Co-Signer.
- Produce a signed transaction
The required key shares produce a valid signature without reconstructing the full private key in one place.
- Broadcast and monitor
The transaction is broadcast and lifecycle events are delivered to your systems.
Policy examples
Common policy checks include:
- Amount limits.
- Destination allowlists.
- Manual approval thresholds.
- Role-based approval requirements.
- Asset or network restrictions.
- Time-of-day restrictions.
- Step-up authentication for sensitive actions.
Operational considerations
- Keep Co-Signer secrets in your own secrets manager.
- Monitor Co-Signer health and connectivity.
- Design withdrawal flows for degraded states if the Co-Signer is offline.
- Keep policy decisions auditable.
- Rotate or revoke key material when ownership changes.