Co-Signer

Wallet operations

Co-Signer

The Co-Signer is the client-run component that participates in MPC signing.

It is designed so you keep a key share and enforce your own approval policy before a withdrawal or transfer is signed.

Role in the architecture

BroSettlement coordinates wallet operations and signing sessions, but the normal signing path requires client-side participation.

The Co-Signer:

  • Runs in your own cloud, VPC, or controlled environment.
  • Holds the client key share.
  • Authenticates to BroSettlement using API credentials.
  • Participates in MPC signing sessions.
  • Applies your signing policy before approving signing participation.

Signing flow

  1. Create a transaction intent

Your backend requests a withdrawal or transfer through the BroSettlement API.

  1. Evaluate client policy

Your systems check destination, amount, asset, user role, time window, and approval requirements.

  1. Start MPC signing

BroSettlement coordinates a signing session with the Co-Signer.

  1. Produce a signed transaction

The required key shares produce a valid signature without reconstructing the full private key in one place.

  1. Broadcast and monitor

The transaction is broadcast and lifecycle events are delivered to your systems.

Policy examples

Common policy checks include:

  • Amount limits.
  • Destination allowlists.
  • Manual approval thresholds.
  • Role-based approval requirements.
  • Asset or network restrictions.
  • Time-of-day restrictions.
  • Step-up authentication for sensitive actions.

Operational considerations

  • Keep Co-Signer secrets in your own secrets manager.
  • Monitor Co-Signer health and connectivity.
  • Design withdrawal flows for degraded states if the Co-Signer is offline.
  • Keep policy decisions auditable.
  • Rotate or revoke key material when ownership changes.