New versions of the Qredo API and Signing Agent are now available! To get started, just contact us here.
Qredo Logo

Signing Agent

Get started

A new version of the Signing Agent is now available! Our dedicated team of crypto experts can get you started with Qredo’s Next Generation APIs in minutes — just contact us here.

You can also follow this video tutorial:


This guide explains the basic steps to start using the Signing Agent.

You will build and run a Signing Agent Docker image, add the Agent as a Member to your Policy, and transfer some testnet assets between two Vaults in your Workspace. The Signing Agent will automatically approve your transaction.


Before you start, take these steps in the Qredo Web App:

  1. Create a Qredo profile.
  2. Create a Workspace.
  3. In the Workspace settings, enable testnet assets.
  4. Create a Portfolio.
  5. Create two Vaults in your Workspace:
    • Specify the same testnet asset for both Vaults.
    • Select the Default Policy to govern them.
  6. Get testnet assets to one of the Vaults. You can use faucets.

Step 1: Get an API key & secret

  1. In the Qredo Web App, navigate to Workspace settings.
  2. Click Create API key.
  3. Select the Read/Write access.
  4. Click Create API key. If this option isn't visible to you, just contact us here.
  5. Copy and save your API key and secret.

You won't be able to view your API secret after closing the last screen. Make sure to take a copy of it. Learn how to securely store your API secret and other sensitive data: Security best practices

We recommend associating each Signing Agent instance with a different API key.

Step 2: Build a Docker image

  1. Clone the Signing Agent repository to a local directory with your preferred command-line tool:

    git clone
  2. Install and run Docker.

  3. In the command line, go to the signing-agent directory (the root of the repository) and build a Docker image:

    ./ docker_latest

    Check the Images tab in Docker: you will see a new image called signing-agent.

  4. Create a volume directory in any location and make sure you have read & write access:

    mkdir volume

    Docker will use this directory as a persistent data storage.

  5. Copy the config-template.yaml file from the signing-agent directory to the volume directory and rename it to config.yaml.

    This file contains settings of your Signing Agent. Later you will edit it to adjust the settings.

Step 3: Start the image

  1. In the command line, go to the signing-agent directory and start the Signing Agent Docker image:

    docker run -ti --rm -v {path-to-the-volume-directory}:/volume -p 8007:8007 signing-agent:latest

    This command also mounts the volume directory you created before into a Docker container.

  2. Check the messages returned by the command line and make sure that the Signing Agent hasn't yet started automatically approving transactions:

    Agent Service: agent is not yet configured, auto-approval not started

    Don't close the window where the image is running: otherwise it'll be stopped. Later you can revisit if to read the Signing Agent logs.

Step 4: Register the Agent

  1. In the Web App, navigate to your Workspace and copy the Workspace ID from the URL:{workspaceID}
  2. Use the Signing Agent API endpoint GET /register. In the request body, specify your API key & secret and the Workspace ID you've just copied:

    curl -X 'POST' \
    'http://localhost:8007/api/v2/register' \
    -H 'accept: application/json' \
    -H 'Content-Type: application/json' \
    -d '{
      "APIKeyID": "YOUR_API_KEY_ID",
      "secret": "YOUR_API_SECRET",
      "workspaceID": "YOUR_WORKSPACE_ID"
  3. In the Web App, edit your Default Policy to add your API key (identified by name) as a second Member and set the Threshold to 1 of 2. Alternatively, you can use the Qredo API, as explained here: Add the API key to a Transaction Policy.

    When you registered the Signing Agent, it has been associated with your API key, so here the key represents the Agent.

    We don't recommend setting the 2 of 2 threshold. There is a risk of locking your assets in the wallet in case one of the members is no longer able to approve transactions.

  4. Check the logs in the window where the Signing Agent image is running:

    agent registered, starting the service
    AutoApprover: listening
    WebsocketSource: connected to feed wss://
    FeedHub: new feed client registered
    Start listening on HTTP

Step 5: Approve a transaction

  1. In the Web App, perform a transfer between your Vault holding testnet assets to the second Vault in your Workspace. Alternatively, you can use the Qredo API, as explained here: Create an EVM transaction.

  2. If you initiated the transaction in the Web App, you may need to authorize it in the Signing App on your phone. Then Signing Agent will automatically approve the transaction. If the transaction was initiated programmatically, no action in the Signing App is required.

Check the logs in the window where the Signing Agent image is running:

AutoApprover: action `2WhocLMNygoxQ6iUlGbbkECmg1S` approved automatically`

It's not the most typical usage of the Signing Agent. Later you may want to create rules defining when the Signing Agent must approve or reject transactions. You can find an example of governance logic here:

Auto-approval is enabled by default. To disable it, see the next step.

Step 6: Configure the Agent

To configure the Signing Agent, do the following:

  1. If the Signing Agent image is running, go to its window and terminate the process with Ctrl + C.

  2. Open the config.yaml file stored in the volume directory. Adjust the file and save it.

  3. To continue using the Signing Agent, start the image again, as described in Step 3.

You can find all available settings in this guide: Configure

For production usage, we strongly recommend adjusting the following settings::

  • autoApproval: enabled: In this guide auto-approval was used for conducting a basic governance test. However for production environments it's advisable to disable it: just set this option to false.

  • TLS: enabled: In a production setting it's crucial to set this option to true to ensure traffic encryption and secure data transfer.

  • store: For testing purposes we're using the default text file /volume/ccstore.db to store the BLS private key, but for production we strongly recommend integrating with a key management service. See also: Qredo API: Security best practices.

Step 7: Start listening to a WebSocket feed

While the Signing Agent is running, it's using a WebSocket feed to track the activity associated with your account.

To see the feed, go to the window where the Signing Agent image is running. For example, after authorizing a transaction, you'll see details of the action waiting for approval:

  "id": "2WhocLMNygoxQ6iUlGbbkECmg1S",
  "type": 8,
  "status": 1,
  "description": "",
  "approverID": "a.48wq3YZk8TVvfJMEqkDJc5LPrvB7fqh9WDkkcemu6sQ3",
  "dataID": "",
  "senderID": "p.EoTuBtxCqjEUUV2LtzxURQADJUmshmTzj8CtYeo6bn5p",
  "messages": [
  "signatures": null,
  "timestamp": 1697194250,
  "actionSubject": null,
  "actionTime": 0,
  "expireTime": 1697208639,
  "metadata": "e30=",
  "created": 0

Step 8: Start using the Signing Agent API

While the Signing Agent image is running, you can use the Signing Agent API.

For example, to check the Signing Agent status, use GET /healthcheck/status. Run the following in the command line:

curl -X GET 'http://localhost:8007/api/v2/healthcheck/status'

This endpoint returns the WebSocket feed URL and other details:


The available endpoints are listed the Signing Agent API reference. The Signing Agent API allows getting information about the Signing Agent, registering a new Agent, and approve or reject transactions.