Pair a wallet
Verify the factory certificate, create the BIP-32 key, and record the actual derivation path.
NFC Bitcoin hardware signer
Your wallet builds the transaction. TAPSIGNER keeps the BIP-32 key on a separate card. Review, tap, enter your PIN, and sign.
Credit-card size. Tap to authorize.
The idea
TAPSIGNER is the signing key your phone does not keep. A compatible wallet manages balances, addresses, and transaction details. The card holds the key and participates only when you physically tap it.
Custom branding & white-label runs
Coinkite produces custom-branded TAPSIGNER editions for organizations, wallets, conferences, communities, and client programs. Custom artwork, powered by the same TAPSIGNER security model and open protocol.
Previous custom editions include Nunchuk, Human Rights Foundation, PubKey, and Satsconf.
Your artwork on the card. TAPSIGNER underneath.
Three deliberate steps
Simple enough for daily use. Explicit enough to know where the key and recovery material live.
Verify the factory certificate, create the BIP-32 key, and record the actual derivation path.
Save the encrypted XPRV file, copy the printed decryption key separately, then change the factory PIN.
Check destination, amount, fee, inputs, and change in the wallet before authorizing its signature request.
Use your preferred interface
Current integrations include Nunchuk, Cove, Bitcoin Keeper, and Sparrow. Choose by platform, policy, and recovery workflow—not by logo alone.
A separate key changes the boundary
| Model | Where the key lives | Where you review |
|---|---|---|
| Phone-only wallet | On the phone | Phone |
| TAPSIGNER | Separate NFC card | Companion wallet |
| Display hardware wallet | Separate device | Hardware device |
Normal signing keeps the unencrypted master XPRV off the phone. The wallet still decides what digest to request, so software and transaction review remain part of the security model.
Recovery, clearly stated
TAPSIGNER exports the master XPRV and current path in an AES-128-CTR encrypted file. Recovery requires that file, a separate copy of the fixed 128-bit key printed on the card, and the wallet configuration that defines the addresses or multisig policy.
No restore-to-card command. Recovery decrypts the XPRV for use outside the original card, so the recovery environment becomes part of your security boundary.
Plan backup and recoveryFits more than one wallet design
Keep the one signing key on a separate card while your wallet manages the interface and public data.
Understand the model →Use TAPSIGNER as one independent key, with the complete descriptor and recovery plan preserved.
Plan a multisig role →Build with the public protocol, reference implementation, certificate checks, and documented command flow.
Read the developer guide →The honest tradeoff
TAPSIGNER signs a requested digest; it cannot independently display the payment. Verify the wallet, review the finalized transaction, and choose a display-equipped signer when on-device confirmation is required.
Two cards. Two jobs.
Keep TAPSIGNER under one owner's control and use it repeatedly to sign. Choose SATSCARD when funded bitcoin should travel with a physical card to a new owner.
Compare SATSCARD and TAPSIGNERSee the interaction
A short walkthrough of pairing TAPSIGNER with Nunchuk and authorizing with NFC.
Ready when your phone is