Each MPC node in the TSM is controlled by an SDK. When the SDK is initiated, it must be authenticated. When the authentication succeeds, the SDK is logged into the MPC node on a given application. The MPC node can have many applications. SDKs that are logged into the same application have access to the same keys.

The following types of authentication are supported:

Authenticaton with API Keys

Assuming that the MPC node URL is and that the MPC node is configured to accept the API key apikey , you can log in like this:

config := tsm.Configuration{URL: ""}
config = config.WithAPIKeyAuthentication("apikey")
node, err := tsm.NewClient(config)

SDK authentication using an API key requires that the MPC node has been configured to accept the API key, and the actual application that this API key maps to, is specified in the TSM configuration. See this section for more about how to configure API key authentication in the TSM.

See this for a full example with API key authentication.

Authentication with TLS Certificate (mTLS)

As an alternative to API key authentication, the SDK can authenticate using a TLS certificate. This means that the connection between the SDK and the MPC node will be secured using a 2-way TLS connection.

This can be done like this:

clientKey := "/path/to/client.key"
clientCrt := "/path/to/client.crt"
config := tsm.Configuration{URL: ""}
config, err = config.WithMTLSAuthentication(clientKey, clientCrt, nil)
node, err := tsm.NewClient(config)

SDK authentication using mTLS requires that the certificate authority (CA) that issued the client certificate has been registered in the MPC node configuration. See this section for more about how to register a CA in the MPC node.

The application that the SDK logs into when authenticating like this, is derived from certain values in the provided client certificate. For example, the application may be derived from the distinguished name of the Issuer and Subject of the client certificate, or from some subset of values in these fields, such as OrganizationalUnit. The specific way to derive the application from the provided certificate is part of the MPC node configuration. This can be used to automatically grant users from the same organizational unit access to the same keys in the TSM, etc.

Public Key Pinning

Optionally, you can provide a specific public key when authenticating. This means that the SDK will only accept a TLS connection with the MPC node that has the exact private key that corresponds to this public key.

For example (ignoring error handling):

// Extract the MPC node public key from certificate

nodeCertPEM, err := os.ReadFile("/path/to/node.crt")
block, rest := pem.Decode(nodeCertPEM)
if block == nil || len(rest) != 0 {
cert, err := x509.ParseCertificate(block.Bytes)
nodePKIXPublicKey, err := x509.MarshalPKIXPublicKey(cert.PublicKey)

// Create node SDK with mTLS authentication and public key pinning

clientKey := "/path/to/client.key"
clientCrt := "/path/to/client.crt"
config, err := tsm.Configuration{URL: ""}.WithMTLSAuthentication(clientKey, clientCrt, nodePKIXPublicKey)
node, err := tsm.NewClient(config)

Authentication with OIDC

The SDK can also authenticate using an OIDC access token:

config := tsm.Configuration{URL: ""}
config, err = config.WithOIDCAccessTokenAuthentication(accessToken)

The accessToken is obtained from the login process performed at the OIDC identity provider.

The OIDC authentication is configured on the MPC node. The node can, e.g., be configured up to accept Microsoft accounts, or Google accounts from a particular application domain, or it can be configured to accept a custom OIDC provider. See this section for more about how to configure OIDC authentication on an MPC node.

The MPC node derives the application from the audience field in the access token. This means that two SDKs that each authenticates with their own OIDC access token, will have access to the same set of keys in the TSM, if their access tokens were issued for the same audience.