SEP: 0019
Title: Bootstrapping Multisig Transaction Submission
Author: Paul Selden <[email protected]>, Nikhil Saraf <[email protected]>
Track: Standard
Status: Draft
Created: 2018-12-07
Discussion: [https://groups.google.com/forum/#!msg/stellar-dev/-erucceOKbs/ewjFSQcNBwAJ](SEP: Bootstrapping Multisig Coordination)
Provides a standard way for multisig accounts to designate where transactions should be submitted for coordination of additional signatures.
An account may designate which multisig server to use in a data entry that points to a server with a stellar.toml
file. This file contains a MULTISIG_ENDPOINT
field which is an API where multisig transactions should be submitted. Wallets should implement this SEP so they can support multisig accounts without requiring them to run a multisig service themselves.
Currently there are only a few public tools that allow for multisig accounts, and they all do it by implementing their own signature coordinator services to do so. Wallets or other services that do not implement their own backends have no real way to deal with multisig accounts, so most of them just don't at all. By allowing an account to specify where they want their multisig transactions submitted to, it enables those wallets to interop with existing multisig services without relying on vendor-specific SDKs and APIs.
Additionally, there may be use cases where users do not want their multisig transactions broadcasted to a public coordinator, but would still like to use existing wallets to submit them to a private coordinator.
A multisig account adds a data entry with the key config.multisig.coordinator
and the value of a hostname used to resolve the stellar.toml
file of the multisig service.
Example:
Key: config.multisig.coordinator
Value: stellarguard.me
Multisig coordinators advertise the existence of their service through the stellar.toml
file. The top-level parameter MULTISIG_ENDPOINT
should contain a fully-qualified URL of a multisig coordination service where transactions should be submitted.
Example of stellar.toml
:
MULTISIG_ENDPOINT="https://stellarguard.me/api/transactions"
Multisig Services must expose two REST API endpoints.
This is the endpoint defined in the stellar.toml
under the MULTISIG_ENDPOINT
key.
POST MULTISIG_ENDPOINT
ContentType: application/json
.
Request Body Parameters:
Name | Type | Description |
---|---|---|
uri |
string | A SEP-0007 style tx URI for the transaction to sign. |
Example:
POST https://stellarguard.me/api/transactions
{
"uri": "web+stellar:tx?xdr=AAAAAHFd0%2BHQV5u%2FY%2FfM3%2BVelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw%3D%3D"
}
On success, the endpoint should return a 200 HTTP status code and a JSON-encoded object.
Response fields:
Name | Type | Description |
---|---|---|
id |
string | Required. An identifier for the multisig request that is generated by the multisig service. |
statusHref |
string | Required. A fully qualified url where an agent can poll for updates on the status of the multisig request. This is specified in the Status Endpoint section. |
extras |
object | Optional. An object that contains additional application specific response data which could be used to provide an enhanced user experience. For instance, showing a link to authorize a transaction. |
Example:
{
"id": "c585ceee-b1b9-4009-aa37-b8544346a036",
"statusHref": "https://stellarguard.me/api/transactions/c585ceee-b1b9-4009-aa37-b8544346a036",
"extras": {
"isStellarGuard": true,
"url": "https://stellarguard.me/transactions/c585ceee-b1b9-4009-aa37-b8544346a036"
}
}
This will be used to query for the status of a multisig transaction.
GET MULTISIG_ENDPOINT>/:id
Request Path Parameters:
Name | Type | Description |
---|---|---|
id |
string | Required. The id used to look up the status, which was returned in the submit transaction response. |
Example:
GET https://stellarguard.me/api/transactions/c585ceee-b1b9-4009-aa37-b8544346a036
On success, the endpoint should return a 200 OK
HTTP status code and a JSON-encoded object.
Response fields:
Name | Type | Description |
---|---|---|
id |
string | Required. An identifier for the multisig request that is generated by the multisig service. |
status |
string | Required. An string indicating the status of the multisig request which can have one of the following values: - pending - The request requires more signatures- success - The transaction has been fully signed- failed - There was an error with the transaction and it could not be submitted successfully |
uri |
string | Required. The original SEP-0007 URI that was submitted to the service. |
signers |
string[] | Required. An array of public keys that have signed the transaction. |
xdr |
string | Required. The current state of the transaction XDR, including any additional signatures. |
Example:
{
"id": "c585ceee-b1b9-4009-aa37-b8544346a036",
"status": "pending",
"uri": "web+stellar:tx?xdr=AAAAAHFd0%2BHQV5u%2FY%2FfM3%2BVelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw%3D%3D",
"signers": ["GBYV3U7B2BLZXP3D67GN7ZK6SVFPKILMCIKL6ASQGIAFFZ2UOQ7AZB5V"],
"xdr": "AAAAAHFd0+HQV5u/Y/fM3+VelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw=="
}
In order to comply with browser cross-origin access policies, the service should provide wildcard CORS response HTTP header. The following HTTP header must be set for the API endpoints:
Access-Control-Allow-Origin: *
- Look up the data entry with the key
config.multisig.coordinator
on the transaction source account. If the entry does not exist on the account, do not continue with this flow. - Resolve the
stellar.toml
associated with the account'sconfig.multisig.coordinator
entry and return theMULTISIG_ENDPOINT
field. - Convert the transaction to a SEP-0007 style URI, setting any additional parameters such as
callback
. - Before submitting the transaction, it should contain at least one valid signature.
POST
to theMULTISIG_ENDPOINT
endpoint with the SEP-0007tx
URI in the body as the parameteruri
.- The service responds with a 200 HTTP status code and a JSON object specified in the Submit Transaction Endpoint Response section.
When implementing StellarGuard for the Stellar Account Viewer, it was rightly pointed out it should avoid vendor-specific implementation. This SEP provides an alternative approach that can be used by tools that want to support multisig accounts without implementing a multisig server for each product.
One design choice was whether to skip the stellar.toml
step and add the fully qualified multisig server endpoint to the account's data field. The stellar.toml
approach affords greater flexibilty for the server to change its implementations. It is much easier to update the stellar.toml
than to update the data entry of every account that uses it.
The server implementation is currently live on https://test.stellarguard.me and https://stellarguard.me.
A library that implements this protocol has been published here: https://github.com/stellarguard/multisig-utils
A demo using that library that submits to the StellarGuard multisig endpoint: https://stellarguard.github.io/multisig-utils/demo/