stellar-sdk/com.soneso.stellar.sdk.sep.sep10/ClientDomainSigningDelegate

ClientDomainSigningDelegate

fun interface ClientDomainSigningDelegate

Functional interface for delegating client domain transaction signing to external services.

This delegate is for signing with your WALLET'S domain key to prove wallet identity during SEP-10 authentication. This is NOT for user account signing - use the signers parameter for that.

This enables integration with wallet backend infrastructure that manages the wallet's domain signing key:

  • Wallet backend servers - Your company's authentication server managing the wallet's domain key

  • Hardware Security Modules (HSMs) - Secure cryptographic key storage for wallet infrastructure

  • Cloud KMS services - AWS KMS, Google Cloud KMS for wallet backend key management

  • Multi-Party Computation (MPC) systems - Distributed key management for wallet infrastructure

Use Cases:

  • Wallet backends where the domain signing key is managed server-side

  • Enterprise wallet infrastructure requiring HSM-backed domain keys

  • Wallet companies with regulatory requirements for key custody

  • Multi-signature wallet domain accounts with threshold requirements

Multi-Signature Support:

  • Wallet domain accounts can have multiple signers with threshold requirements

  • The delegate can add multiple signatures to meet the wallet domain account's signing threshold

  • Common for enterprise wallet backends where master key is disabled (weight = 0)

  • Supports regulatory compliance requiring multi-custody signatures for wallet identity

Security Considerations:

  • The delegate receives the full transaction XDR (not just a hash) for transparency

  • Wallet backend can verify transaction contents before signing with domain key

  • Returned transaction must not be modified (only signatures added)

  • Network passphrase is embedded in transaction hash to prevent replay attacks

  • Only use with your own trusted wallet backend services

Example - Wallet company HSM:

val signingDelegate = ClientDomainSigningDelegate { transactionXdr ->
    // Parse transaction
    val tx = AbstractTransaction.fromEnvelopeXdr(transactionXdr, network) as Transaction

    // Sign with your wallet company's HSM (not user's HSM)
    tx.sign(walletDomainHsmKeyPair)

    // Return signed transaction
    tx.toEnvelopeXdrBase64()
}

val token = webAuth.jwtToken(
    clientAccountId = userAccountId,
    signers = listOf(userKeyPair),
    clientDomain = "wallet.company.com",
    clientDomainSigningDelegate = signingDelegate
)
Content copied to clipboard

Example - Multi-signature wallet domain account:

val signingDelegate = ClientDomainSigningDelegate { transactionXdr ->
    val tx = AbstractTransaction.fromEnvelopeXdr(transactionXdr, network) as Transaction

    // Add multiple wallet domain signatures to meet threshold
    tx.sign(walletDomainSigner1KeyPair)
    tx.sign(walletDomainSigner2KeyPair)

    tx.toEnvelopeXdrBase64()
}
Content copied to clipboard

Example - Wallet backend server:

val signingDelegate = ClientDomainSigningDelegate { transactionXdr ->
    // Send to your wallet's backend server for domain signing
    val response = httpClient.post("https://backend.wallet-company.com/sign-client-domain") {
        contentType(ContentType.Application.Json)
        setBody("""{"transaction": "$transactionXdr"}""")
    }

    // Backend returns signed transaction
    response.body<String>()
}
Content copied to clipboard

See also

Functions

Link copied to clipboard
abstract suspend fun signTransaction(transactionXdr: String): String

Signs a transaction with the client domain signing key(s).

Generated by Dokka
© 2026 Copyright