Overview

The v2 Wallet API is secured by CDP’s Trusted Execution Environment (TEE), a highly isolated compute environment that is used for sensitive cryptographic operations such as private key generation and transaction signing.

The TEE is hosted on AWS Nitro Enclaves, an isolated, secure compute environment. The TEE has no persistent storage, no interactive access, and no external networking, ensuring that even a root or admin user cannot access or SSH into the TEE.

All operations that take place in the TEE are not visible to CDP, AWS, or the outside world.

TEE architecture

The following diagram demonstrates the architecture of the TEE:

How it works

  1. Incoming requests to the v2 Wallet API are authenticated with the developer’s Wallet Secret.
  2. After validating the request, it is forwarded to the TEE over VSOCK, which provides the only source of data flow to and from the TEE.
  3. The TEE performs sensitive operations, including verifying the wallet authentication signature, private key generation, and transaction signing. Account private keys are encrypted and decrypted exclusively within the enclave, and never leave the TEE. An encrypted version of the private keys are stored in CDP’s database and can only be accessed by the developer with the corresponding Wallet Secret.
  4. The resulting payload is sent back to the v2 Wallet API over VSOCK.
  5. The v2 Wallet API returns the result to the client.

Wallet Secrets

Wallet Secrets are used to authenticate requests to the v2 Wallet API.

Wallet Secrets are asymmetric private keys that conform to ECDSA, a cryptographic technique for creating and verifying digital signatures. They rely on the secp256r1 elliptic curve (also known as P-256), making keys small, fast, and highly secure.

Read more about using Wallet Secrets in our v2 API Reference documentation.

Configure your Wallet Secret in the Wallet API page of the CDP Portal.

2FA

To increase security of your wallet, we recommend enabling two-factor authentication (2FA).

We support physical security keys, passkeys, Google or Duo authentication apps, security push notifications, and even trusted contacts.

When enabling 2FA, it is highly advised you do not use SMS, and instead use a physical security key or other more secure methods.

Lost access

If you lose access to your Wallet Secret, you can delete the old secret and generate a new one through the CDP Portal. See Wallet Secret Rotation for more information on how to update your secret and manage two factor authentication.