Key Management System (KMS) - Introduction

Modified on Mon, 10 Oct 2022 at 09:59 PM


What is KMS?

KMS is a custodial solution to control your application’s end-users private keys and wallet mnemonics. Blockchain transactions are signed locally, and sensitive data is not sent over the Internet.

With KMS, you can build and scale custodial apps, provide the highest level of security for your users, and allow them to use blockchain technology without having to deal with private keys and mnemonics. End-users can just log in to your app with their credentials, and KMS takes care of the rest.

Additional information starting at 22:15 on the following video:

What does KMS do?

  • KMS keeps mnemonics and private keys safe.
  • KMS periodically pulls pending transactions to sign from Tatum Cloud, signs them locally using stored private keys, and broadcasts them to the blockchain.

Tatum KMS on Github.

KMS Use cases

KMS can be used to securely sign any transaction with a signatureId instead of a privateKey or mnemonic.

To learn more about how to utilize KMS, check the following link.
The KMS list of API endpoints is available at the following link.

How does KMS work?

KMS runs locally on your server and provides security for generating wallets, addresses, private keys, and signing transactions securely. KMS stores all your mnemonics and private keys in a wallet storage file. This storage file is an AEC encrypted file, for which only you know the encryption key.

Every wallet stored inside your KMS instance has a unique identifier, called signatureId. This signatureId is used in communication with Tatum API and represents the wallet used by the specific operation. When you generate and store all the wallets you want to work with, you then enable the daemon mode in the KMS. This daemon mode periodically checks for pending transactions to sign.


  • When you generate a wallet with KMS, it creates a signature ID that is used in place of the wallet’s mnemonic.
  • When you generate a private key to an address, it creates a signature ID to be used in place of the private key.
  • When you send API requests to Tatum you only have to remember to replace two fields:
    • mnemonic -> signatureId (of the wallet’s mnemonic phrase)
    • fromPrivateKey -> signatureId (of the private key)

More information at the following link.

Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article