Non-custody accounts

+1 vote
Hello!

I need to implement non-custody multichain account system in my NFT application. So i plan to generate key pairs on server and give them to user's mobile application.

How can i implement transactions signing without transferring user's private key to server?

As i understand there is only one way - call to RPC directly from iOS app, sign a transaction and then send a result to server?

Or i can use external libraries like bitcoinjs or other for signing transaction and then send to server?

Or if i need to configure multichain with bitcoin style parameters for using bitcoin libraries in mobile app, is it possible to use all multichain assets features, include NFT of beta 3, in bitcoin style multichain?

Thank you!
asked Oct 18, 2021 by Levi770
edited Oct 18, 2021 by Levi770

1 Answer

+2 votes
 
Best answer

First you don't need to generate key pairs on the server – you can use a bitcoin library to generate them within the mobile application itself. If you have set up your MultiChain blockchain to use bitcoin-compatible addresses, then an address generated by the bitcoin library will not need any changes for MultiChain (see https://www.multichain.com/developers/address-key-format/). Then (if you wish) the mobile application can send the server the public part of the address and it can be imported using (importaddress) into a node, so the node is able to track UTXOs for that addresses and prepare transactions for signing.

Second, in terms of signing, you can use a MultiChain node to prepare a transaction for signing (the createrawsendfrom API is most efficient), pass it to the mobile app which signs it, then send it back to the server for broadcast to the network. All MultiChain transactions are formatted using the bitcoin protocol format, so a bitcoin compatible library (like bitcoinjs) in the mobile appshould have no trouble signing them. The only issue is that MultiChain transactions contain some features (represented by OP_DROP and OP_RETURN data in bitcoin's format) which the library may be unfamiliar with, meaning you may have to remove some checks within the library to allow it to perform the signing. But that should be easy from examining its code.

We wouldn't recommend allowing the iOS app to call the MultiChain API directly, because that gives it far too much control if it gets hacked. Instead, you should build a very minimal service on the server which accepts instructions from the app and translates them into API calls. That will also allow you to do authentication and rate limiting as appropriate.

answered Oct 19, 2021 by MultiChain
selected Oct 19, 2021 by Levi770
Thank you for answer!
...