KMS - How does it work

Modified on Sun, 25 Sep 2022 at 01:49 PM

KMS is a command-line tool and provides two modes of operation:

  • CLI mode is used to generate wallets or private keys, typically for the initial setup and one-time operations.
  • daemon mode periodically pulls pending transactions from the Tatum API, signs transactions locally, and broadcasts the transactions to the blockchain.

Be aware that there are two types of signature IDs generated by KMS:

  • mnemonic signature IDs
  • private key signature IDs.


The following applies:

  • Any time a private key is required for a request, you must replace the privateKey field with a signatureId field that contains the signature ID of the private key from the wallet storage.
  • Whenever there is a mnemonic is required to sign a transaction, you must replace the mnemonic field with a signatureId field containing the signature ID of the mnemonic from the wallet storage.

Good to know


Tatum KMS also supports integrations to Azure Key Vault or VGS so that you can store your keys and mnemonics there. For more information, see Tatum KMS GitHub pages, where all of the source code is available.


When you generate and store all the wallets you want to work with, you then enable the daemon mode in the KMS. This daemon mode periodically checks for pending transactions to sign.


Every pending transaction has a signatureId present. When the pending transaction is matched with the wallet storage's specific wallet, it is signed locally and sent to the blockchain. Your wallet data are stored only in memory.


By default, KMS checks for the pending transactions every 5 seconds using this API call.


Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select atleast one of the reasons

Feedback sent

We appreciate your effort and will try to fix the article