SEP: 0019
Title: Bootstrapping Multisig Transaction Submission
Author: Paul Selden <paul.selden@stellarguard.me>, Nikhil Saraf <nikhil@stellar.org>
Track: Standard
Status: Draft
Created: 2018-12-07
Discussion: [https://groups.google.com/forum/#!msg/stellar-dev/-erucceOKbs/ewjFSQcNBwAJ](SEP: Bootstrapping Multisig Coordination)
Provides a standard way for multisig accounts to designate where transactions should be submitted for coordination of additional signatures.
An account may designate which multisig server to use in a data entry that points to a server with a stellar.toml file. This file contains a MULTISIG_ENDPOINT field which is an API where multisig transactions should be submitted. Wallets should implement this SEP so they can support multisig accounts without requiring them to run a multisig service themselves.
Currently there are only a few public tools that allow for multisig accounts, and they all do it by implementing their own signature coordinator services to do so. Wallets or other services that do not implement their own backends have no real way to deal with multisig accounts, so most of them just don't at all. By allowing an account to specify where they want their multisig transactions submitted to, it enables those wallets to interop with existing multisig services without relying on vendor-specific SDKs and APIs.
Additionally, there may be use cases where users do not want their multisig transactions broadcasted to a public coordinator, but would still like to use existing wallets to submit them to a private coordinator.
A multisig account adds a data entry with the key config.multisig.coordinator and the value of a hostname used to resolve the stellar.toml file of the multisig service.
Example:
Key: config.multisig.coordinator
Value: stellarguard.me
Multisig coordinators advertise the existence of their service through the stellar.toml file. The top-level parameter MULTISIG_ENDPOINT should contain a fully-qualified URL of a multisig coordination service where transactions should be submitted.
Example of stellar.toml:
MULTISIG_ENDPOINT="https://stellarguard.me/api/transactions"
Multisig Services must expose two REST API endpoints.
This is the endpoint defined in the stellar.toml under the MULTISIG_ENDPOINT key.
POST MULTISIG_ENDPOINT
ContentType: application/json.
Request Body Parameters:
| Name | Type | Description |
|---|---|---|
uri |
string | A SEP-0007 style tx URI for the transaction to sign. |
Example:
POST https://stellarguard.me/api/transactions
{
"uri": "web+stellar:tx?xdr=AAAAAHFd0%2BHQV5u%2FY%2FfM3%2BVelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw%3D%3D"
}On success, the endpoint should return a 200 HTTP status code and a JSON-encoded object.
Response fields:
| Name | Type | Description |
|---|---|---|
id |
string | Required. An identifier for the multisig request that is generated by the multisig service. |
statusHref |
string | Required. A fully qualified url where an agent can poll for updates on the status of the multisig request. This is specified in the Status Endpoint section. |
extras |
object | Optional. An object that contains additional application specific response data which could be used to provide an enhanced user experience. For instance, showing a link to authorize a transaction. |
Example:
{
"id": "c585ceee-b1b9-4009-aa37-b8544346a036",
"statusHref": "https://stellarguard.me/api/transactions/c585ceee-b1b9-4009-aa37-b8544346a036",
"extras": {
"isStellarGuard": true,
"url": "https://stellarguard.me/transactions/c585ceee-b1b9-4009-aa37-b8544346a036"
}
}This will be used to query for the status of a multisig transaction.
GET MULTISIG_ENDPOINT>/:id
Request Path Parameters:
| Name | Type | Description |
|---|---|---|
id |
string | Required. The id used to look up the status, which was returned in the submit transaction response. |
Example:
GET https://stellarguard.me/api/transactions/c585ceee-b1b9-4009-aa37-b8544346a036
On success, the endpoint should return a 200 OK HTTP status code and a JSON-encoded object.
Response fields:
| Name | Type | Description |
|---|---|---|
id |
string | Required. An identifier for the multisig request that is generated by the multisig service. |
status |
string | Required. An string indicating the status of the multisig request which can have one of the following values: - pending - The request requires more signatures- success - The transaction has been fully signed- failed - There was an error with the transaction and it could not be submitted successfully |
uri |
string | Required. The original SEP-0007 URI that was submitted to the service. |
signers |
string[] | Required. An array of public keys that have signed the transaction. |
xdr |
string | Required. The current state of the transaction XDR, including any additional signatures. |
Example:
{
"id": "c585ceee-b1b9-4009-aa37-b8544346a036",
"status": "pending",
"uri": "web+stellar:tx?xdr=AAAAAHFd0%2BHQV5u%2FY%2FfM3%2BVelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw%3D%3D",
"signers": ["GBYV3U7B2BLZXP3D67GN7ZK6SVFPKILMCIKL6ASQGIAFFZ2UOQ7AZB5V"],
"xdr": "AAAAAHFd0+HQV5u/Y/fM3+VelUr1IWwSFL8CUDIAUudUdD4MAAAAZAADyI8AAAADAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAcV3T4dBXm79j98zf5V6VSvUhbBIUvwJQMgBS51R0PgwAAAAAAAAAAACYloAAAAAAAAAAAVR0PgwAAABAEw8ODG0iixkbAHg1aJATAnZS2531PhGauuSvFDad2WxHKzIenUNbc7K5mGiSpe5jvqe19OQCbNFuBjqN11jfBw=="
}In order to comply with browser cross-origin access policies, the service should provide wildcard CORS response HTTP header. The following HTTP header must be set for the API endpoints:
Access-Control-Allow-Origin: *
- Look up the data entry with the key
config.multisig.coordinatoron the transaction source account. If the entry does not exist on the account, do not continue with this flow. - Resolve the
stellar.tomlassociated with the account'sconfig.multisig.coordinatorentry and return theMULTISIG_ENDPOINTfield. - Convert the transaction to a SEP-0007 style URI, setting any additional parameters such as
callback. - Before submitting the transaction, it should contain at least one valid signature.
POSTto theMULTISIG_ENDPOINTendpoint with the SEP-0007txURI in the body as the parameteruri.- The service responds with a 200 HTTP status code and a JSON object specified in the Submit Transaction Endpoint Response section.
When implementing StellarGuard for the Stellar Account Viewer, it was rightly pointed out it should avoid vendor-specific implementation. This SEP provides an alternative approach that can be used by tools that want to support multisig accounts without implementing a multisig server for each product.
One design choice was whether to skip the stellar.toml step and add the fully qualified multisig server endpoint to the account's data field. The stellar.toml approach affords greater flexibilty for the server to change its implementations. It is much easier to update the stellar.toml than to update the data entry of every account that uses it.
The server implementation is currently live on https://test.stellarguard.me and https://stellarguard.me.
A library that implements this protocol has been published here: https://github.com/stellarguard/multisig-utils
A demo using that library that submits to the StellarGuard multisig endpoint: https://stellarguard.github.io/multisig-utils/demo/