Security when using defender relayer

Hello, I have a doubt. What's the difference between using the API key instead of the private key of the wallet if we can call Defender with that API to sign what we want to sign? Wouldn't it be the same to use just the private key and send the signed message? Both, private key and API key, must be private, and nobody would have to know about either of them. The other question is, is there any way to know the private key of that wallet created just in case anything happens to the key vault of Defender? Thank you very much.

Hi @Cris_Me

By using API keys, we can manage transactions on behalf of users, including managing nonces, resubmissions, and gas price adjustments. This allows us to provide a smoother and more reliable user experience, while also keeping the private keys safe and secure.

All private keys are stored in the AWS Key Management Service. Keys are generated within the KMS and never leave it, so it is not possible for anyone (including OpenZeppelin) to access them.

1 Like

Also @Cris_Me - one big difference between API Keys and Private Keys is that if there is a concern about a security incident, API Keys can be rotated while Private Keys cannot

1 Like

@dylkil @dan_oz is it possible to rotate keys for a relay via API?

Yes it is posible. You can try something like this using Node:

import { RelayClient } from 'defender-relay-client';
const relayClient = new RelayClient({ apiKey: '...', apiSecret: '...' }); // here your team keys
const hola= await relayClient.createKey('...'); // here your relayer ID

You will get something like this:

  apiKey: '...',
  createdAt: '...',
  relayerId: '...',
  keyId: '...',
  secretKey: '...'

I wrote 2 console logs because I am not sure which one gives the right answer. But I've tried it and it worked for me. Disclaimer: I'm just learning how to use defender. But hope it helps. Good luck :slight_smile: