Keychain abstracts the signing backend, but operating a signer in production is still your responsibility. These practices apply across backends; see Choosing a backend for selecting one.
Separate hot and cold signers
Use a low-balance operational ("hot") signer for frequent, automated transactions, and a separate high-value ("cold") signer for treasury movements. Back the cold signer with MPC custody or a cloud HSM and require approval policies before it signs. Because the interface is identical, each role can use a different backend without changing call sites.
Rotate keys deliberately
On Solana the signing key is the account address, so rotating a key produces a new address. Plan rotation as a migration: provision a new key, reassign the relevant authorities (or move funds) to the new address, then retire the old one. Use distinct keys per environment so devnet keys are never reused on mainnet.
Grant least-privilege access
Scope each backend's credentials to the minimum needed to sign. For AWS KMS,
that is kms:Sign and kms:DescribeKey on the specific key; prefer IAM roles
over static credentials. Apply the same principle to Vault policies and managed
wallet API keys.
Plan for availability
Remote backends depend on a network service. Call isAvailable() before relying
on a signer, apply retries with backoff on transient failures, and define a
fallback path for outages. Keychain enforces HTTPS for remote backends and
applies a default request timeout.
Protect secrets and transport
- All remote backends communicate over HTTPS; non-HTTPS endpoints are rejected.
- Supply API keys, tokens, and credentials from a secret manager or environment variables — never hard-code them or commit them to source control.
- Keychain sanitizes error responses to avoid leaking secrets into logs; keep your own logging free of raw credentials and key material.
Monitor and audit signing
Track signing success rate, latency, and failure counts, and alert on spikes — see the metrics in Production Readiness. Enable provider-side audit logs (KMS, Vault, or custodian) and reconcile them against the transactions your application submits.
Is this page helpful?