Administrators and Key Users


An Admin User can be used to make changes to the system (see below), but is not allowed to create or use keys.

adminClient, err := tsm.NewPasswordClientFromCredentials(adminCreds)
if err != nil {

For the examples below, the adminClient refers to the code above.

usersClient = tsm.NewUsersClient(adminClient)
userCreds, err := usersClient.CreatePasswordUser("user", "")
err := adminClient.AuthenticatedPing(0) // node index as parameter, only nodes controlled by this SDK
err = adminClient.Pause()

// Now key generation and reshare is not allowed
// but these are operations are backup safe and can be performed (using ECDSA as example)
// ecdsaClient.PublicKey(keyID, nil)
// ecdsaClient.Sign(keyID, nil, messageHash[:])
// ecdsaClient.PresigGen(keyID, 10)
// ecdsaClient.PartialSignWithPresig(keyID, "", nil, messageHash[:])

err = admClient.Resume()
// Key generation and reshare allowed
usersClient := tsm.NewUsersClient(adminClient)
newCredentials, err := usersClient.ResetPassword(credentials.UserID)
usersClient := tsm.NewUsersClient(adminClient)
err := usersClient.Disable(credentials.UserID)
// User is not allowed to perform operations, but is not deleted

err = usersClient.Enable(credentials.UserID)
// User can perform operations

Key User

A Key User (or Password User) is used to create keys, and to use these keys for signing. Keys are locked to the Key User who created the key.

client, err := tsm.NewPasswordClientFromCredentials(userCreds)
if err != nil {

For the examples below, the client refers to the code above.

ecdsaClient := tsm.NewECDSAClient(client)
curveName := "secp256k1"
keyID, err := ecdsaClient.Keygen(curveName)