Skip to content

feat: add keychain support #13

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
AaronCQL merged 6 commits into from
Mar 31, 2026
Merged

feat: add keychain support #13

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
da60cc8
feat(keys): add keychain backend support for remote signers
amilz Mar 27, 2026
ade9105
docs: update keys.md with keychain backend usage
amilz Mar 27, 2026
1f47f87
refactor: use @solana/keychain umbrella, drop overrides
amilz Mar 27, 2026
01a26cd
feat: add CDP and Dfns keychain backends
amilz Mar 27, 2026
8460220
fix: address review findings for keychain integration
amilz Mar 27, 2026
d342ae7
refactor: address maintainer review comments
amilz Mar 30, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
467 changes: 425 additions & 42 deletions bun.lock
View file
Open in desktop

Large diffs are not rendered by default.

63 changes: 57 additions & 6 deletions docs/keys.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,12 +1,12 @@
# Keys

A key is required for signing transactions (swaps, transfers). Keys are stored locally at `~/.config/jup/keys/`.
A key is required for signing transactions (swaps, transfers). Keys can be local keypairs stored at `~/.config/jup/keys/` or remote signers backed by [solana-keychain](https://github.com/solana-foundation/solana-keychain) (AWS KMS, CDP, Crossmint, Dfns, Fireblocks, GCP KMS, Para, Privy, Turnkey, Vault).

## Commands

### Add a new key

Generate a new key:
Generate a new local keypair:

```bash
jup keys add <name>
Expand All @@ -26,6 +26,50 @@ jup keys add <name> --seed-phrase "word1 word2 ..." --derivation-path "m/44'/501
jup keys add <name> --private-key <key> # accepts hex, base58, base64, or a JSON byte array
```

### Add a keychain-backed key

Connect a remote signer using `--backend` and `--param`:

```bash
jup keys add <name> --backend <type> --param key1=value1 --param key2=value2
```

Secrets are read from environment variables (never stored in config files). Non-sensitive parameters are stored in `~/.config/jup/keys/<name>.keychain.json`.

#### Examples

```bash
# Privy (requires PRIVY_APP_SECRET env var)
jup keys add my-privy --backend privy --param appId=app_xxx --param walletId=wallet_xxx

# HashiCorp Vault (requires VAULT_TOKEN env var)
jup keys add my-vault --backend vault --param vaultAddr=https://vault.example.com --param keyName=solana-key --param publicKey=<base58-pubkey>

# AWS KMS (uses default AWS credential chain)
jup keys add my-kms --backend aws-kms --param keyId=arn:aws:kms:... --param publicKey=<base58-pubkey>

# Turnkey (requires TURNKEY_API_PRIVATE_KEY env var)
jup keys add my-turnkey --backend turnkey --param apiPublicKey=<hex> --param organizationId=<id> --param privateKeyId=<id> --param publicKey=<base58-pubkey>

# Coinbase CDP (requires CDP_API_KEY_ID, CDP_API_KEY_SECRET, CDP_WALLET_SECRET env vars)
jup keys add my-cdp --backend cdp --param address=<solana-address>

# Dfns (requires DFNS_AUTH_TOKEN and DFNS_PRIVATE_KEY_PEM env vars)
jup keys add my-dfns --backend dfns --param credId=<cred-id> --param walletId=<wallet-id>

# Fireblocks (requires FIREBLOCKS_API_KEY and FIREBLOCKS_PRIVATE_KEY_PEM env vars)
jup keys add my-fireblocks --backend fireblocks --param vaultAccountId=<id>

# GCP KMS (uses default GCP credentials)
jup keys add my-gcp --backend gcp-kms --param keyName=projects/.../cryptoKeyVersions/1 --param publicKey=<base58-pubkey>

# Para (requires PARA_API_KEY env var)
jup keys add my-para --backend para --param walletId=<uuid>

# Crossmint (requires CROSSMINT_API_KEY env var)
jup keys add my-crossmint --backend crossmint --param walletLocator=<locator>
```

### List keys

```bash
Expand All @@ -36,9 +80,16 @@ jup keys list
// Example JSON response:
[
{
"name": "key1",
"address": "ABC1...xyz", // Solana wallet address
"active": true // if true, key is used by default for signing transactions
"name": "default",
"address": "ABC1...xyz",
"type": "keypair", // "keypair" for local keys, or the backend name (e.g. "privy", "vault")
"active": true
},
{
"name": "my-vault",
"address": "DEF2...uvw",
"type": "vault",
"active": false
}
]
```
Expand All @@ -58,7 +109,7 @@ jup keys edit <name> --seed-phrase "word1 word2 ..." --derivation-path "m/44'/50
jup keys edit <name> --private-key <key>
```

Rename a key and/or replace its credentials. Options can be combined. `--seed-phrase` and `--private-key` are mutually exclusive.
Rename a key and/or replace its credentials. Options can be combined. `--seed-phrase` and `--private-key` are mutually exclusive and only apply to local keypairs. Keychain-backed keys only support `--name` (rename) — to change backend parameters, delete and re-add the key.

### Delete a key

Expand Down
3 changes: 2 additions & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -34,7 +34,8 @@
"@scure/bip32": "^2.0.1",
"@scure/bip39": "^2.0.1",
"@solana-program/token": "^0.12.0",
"@solana/kit": "^6.2.0",
"@solana/keychain": "^0.6.1",
"@solana/kit": "^6.5.0",
"chalk": "^5.6.2",
"cli-table3": "^0.6.5",
"commander": "^14.0.3",
Expand Down
Loading
Loading