Management API
The MPC node can be configured to expose health information and various performance counters, the example configuration can be seen here:
# Server with endpoints for managing the node
#[ManagementServer]
# Port number that this server listens on.
#Port = 14401
# Points to a file containing a PEM encoded certificate (and any intermediates) which will be used for this
# connection. Setting this enables the use of HTTPS instead of HTTP.
#CertificateFile = ""
# This contains the base64 certificate inline instead of giving it in a file in the previous entry.
#CertificateBytes = ""
# The private key corresponding to the certificate above.
#CertificateKeyFile = ""
# This contains the Base64 PKCS#8 private key inline instead of giving it in a file in the
# previous entry.
#CertificateKeyBytes = ""
#[ManagementServer.HTTPResponseHeaders]
# For use in a browser (e.g. WASM), the following can be set
#Access-Control-Allow-Origin = "*"
#Access-Control-Allow-Methods = "POST, PUT, GET, DELETE, OPTIONS"
#Access-Control-Allow-Headers = "MPC-SessionID, MPC-Players, Authorization, Content-Type"
# Metrics is used to access various internal performance counters, both Golang and MPC-
# related. The default format is Golang's built-in expvar, but it can be configured to be
# Prometheus. The endpoint will be available at 'management/metrics'. This section is
# optional, metrics will only be available if it has been set here.
#[ManagementServer.Metrics]
# Optional. Specify whether to use prometheus format, default is false
#Prometheus = false
# List af API Keys, which can have different permissions
#[[ManagementServer.APIKeys]]
# Base64 encoded hash of the API key. A hash for the API key foobar can be generated with the following command:
#
# echo -n "foobar" | openssl dgst -sha256 -binary | openssl base64
#
# Crypt hashes with the following algoritms are also supported: MD5, SHA256, SHA512, bcrypt, Argon2i, Argon2id
#APIKey = ""
# Array of permissions this API Key has, valid values:
# TSMINFO, HEALTH, METRICS, APIKEY
#Permissions=["HEALTH", "TSMINFO"]
The Management API uses Permission-Based Access Control (PBAC) for allowing access to the different parts of the Management API.
| Action | Endpoint | Required Permission | HTTP Method |
|---|---|---|---|
| OpenAPI (Swagger) docs | /management/docs | NONE | GET |
| OpenAPI yaml definitions | /management/openapi.yaml | NONE | GET |
| Get health information | /management/health | HEALTH | GET |
| Get metrics | /management/metrics | METRICS | GET |
| Get info about authentication methods supported by the TSM Node | /management/configuration/authinfo | TSMINFO | GET |
| Get the audit signing public key, which can be used to validate audit entry signatures | /management/configuration/auditsigningpublickey | TSMINFO | GET |
| Create API Key | /management/apikey | APIKEY | POST |
| Delete API Key | /management/apikey/{apiKeyID} | APIKEY | DELETE |
| List API Keys | /management/apikey | APIKEY | GET |
Authentication
Add a header to your request of the form:
Authorization:APIKEY your_api_keywhere your_api_key matches one of the (plaintext) api keys from the [ManagementServer] section of the node configuration.
You can configure unauthenticated access to the Management API. Specifying an empty API key under the management server API keys in the node configuration, grants unauthenticated access with the specified permissions.
API Keys
To create a new API key, send the following JSON payload in the request body:
JSON
{
"applicationId": "myapplication1",
"description": "this is application 1"
}Enabling dynamic API keys allows changes to be made at runtime without restarting the system. When deployed across multiple MPC nodes, changes (such as adding or removing keys) may take up to 10 seconds to propagate to all nodes.
Note that these endpoints allow management of API keys related to normal TSM operations, not the API keys used for accessing the Management Server API.
Metrics
The performance counters show, for each of the MPC protocols, the total number of keys and signatures generated with that protocol on the MPC node, for example:
{
"SEPD19S.schnorrKeygen": 2,
"SEPD19S.schnorrSign": 323652,
"SEPD19S.schnorrSign.error": 21,
"SEPH18S.ecdsaKeygen": 4,
"SEPH18S.ecdsaSign": 332768,
"SEPH18S.ecdsaSign.error": 18,
}In this example, the MPC node has participated in 2 key generations and 323.652 successful signatures using the SEPD19S protocol. It also participated in 21 SEPD19S signature sessions that failed.
Updated 3 days ago