What is TAPSIGNER?

A simple Bitcoin wallet in your pocket. Think of it as a Bitcoin private key on a card! You can sign mobile wallet transactions by tapping the card on your phone. Your mobile wallet provides most of the wallet logic and TAPSIGNER holds the secrets. It's essentially a hardware wallet you can slip inside your regular wallet.

What's the motivation for TAPSIGNER? You already make COLDCARD®.

What are some possible uses for TAPSIGNER?

Do I need this paper envelope it came in?

Yes! That's a special radio frequency (RF) blocking sleeve. It prevents unwanted access by RF readers with bad intentions. Be sure to insert TAPSIGNER fully into the sleeve: even 5 mm sticking out can allow a sneaky reader to get a signal.

I lost the RF-blocking sleeve! What can I do?

Thousands of RF-blocking (you can search for RFID) sleeves, wallets, and other card protectors are available for purchase at Amazon or elsewhere online. Any of these should work.

Will you have different graphics?

Yes! We are actively working with artists to produce more designs.

And if you are a brand looking to white label it, please get in touch.

Can I use TAPSIGNER for multisig co-signing?

Absolutely! TAPSIGNER works perfectly for multisig transactions.

Can I use TAPSIGNER with a computer (desktop, laptop)?

Yes! You need a USB NFC card reader and the cktap command-line software. Or any desktop wallet that uses our open protocol.

Plans include adding Hardware Wallet Interface (HWI) support.

Is the private key unique and secret?

Yes. TAPSIGNER comes without a private key. The setup process combines your entropy (random bits) with secret entropy picked by the card.

How do I see the deposit address?

Use your mobile wallet to view the deposit address.

How do I know a TAPSIGNER is genuine?

There are a number of ways to verify the card:

How do I know I'm depositing to the correct address?

You must use a mobile wallet that supports TAPSIGNER. Ideally, you tap the card as part of verifying the deposit address. However, once a wallet is set up, it can generate deposit addresses using the usual BIP-32 derived address paths.

Can I store data on my TAPSIGNER?

No. The TAPSIGNER cannot hold arbitrary data.

How long will a TAPSIGNER last?

Like most electronic devices, if stored properly, it should last decades.

For long-term HODL/storage and large amounts, we recommend a COLDCARD® Hardware Wallet, an ultra-secure Bitcoin wallet also made by Coinkite.

Can't the phone just grab the private key and use it later?

No, the private key (XPRV) that controls the funds never leaves the card.

The backup feature provides an encrypted (AES-128-CTR) copy of the key. Using it requires the decryption key printed on the card. Rogue software cannot read the back of the card without your help.

What if someone takes my TAPSIGNER?

If you changed the PIN code, they could record the AES decryption key (take a picture of the back of the card), but they can't do anything useful with the card's electronics.

Can I use it on an untrusted computer?

The private key is generated inside and never leaves the TAPSIGNER, regardless of any malware and keyloggers that may be present on a connected computer.

However, the wallet you paired with the TAPSIGNER can ask the TAPSIGNER to sign any transaction. You can't verify what you're signing since the TAPSIGNER does not have a screen and, therefore, cannot display transaction information. We recommend the COLDCARD if this is a concern.

What's the seed phrase (BIP-39)?

TAPSIGNER is BIP-32 based and does not use BIP-39 seed phrases (mnemonics), but you can securely back up the XPRV.

The TAPSIGNER encrypts the XPRV with AES using a 16-byte key printed on the back of the card. The backup file plus the key lets you recover the XPRV.

How do I back up a TAPSIGNER?

That's all you need to restore the XPRV.

What if I lose my TAPSIGNER?

Use your backup file and a copy of the decryption code from the back of the card to recover the XPRV. If you have those, you don't need the original card.

How do I know the verification link is genuine?

A different random nonce (short for "number once," a single-use numerical value used in cryptography) is signed each time you tap the card on your phone to receive the URL over NFC. Our server verifies the signature and uniqueness of the nonce.

You can also tap again to get a new nonce and corresponding signature.

cktap can do additional verification over the NFC interface that is not possible via the single NFC tap to webpage method. All verification code is open source Python.

Is this a centralized service?

No. It is never necessary to use a centralized service with TAPSIGNER. Our protocol is fully open and the card stores the private keys.

TAPSIGNER works with any Bitcoin wallet that uses our NFC protocol.

How do I know the manufacturer doesn't know the private key?

When setting up your TAPSIGNER for the first time, you provide a 32-byte chain code for entropy. That chain code plus a private key picked by the TAPSIGNER are combined using the BIP-32 standard to derive the payment address.

Because you provided the chain code, and the TAPSIGNER shares the public part of its key, you can derive the payment address and confirm that it matches the address given by the card.

Effectively this means you know the XPUB, the card knows the XPRV, and it's easy to prove the two correspond.

Could TAPSIGNER be generating private keys that look random but aren't?

No. Each customer provides their own chain code for entropy. Before making a deposit, a customer can verify TAPSIGNER incorporated the chain code entropy when it generated the keys.

Do I give the TAPSIGNER to other people as payment?

No. Keep the TAPSIGNER under your control at all times.

You might be thinking of the SATSCARD.

Can I use a TAPSIGNER to sign a message?

Yes, a TAPSIGNER can sign arbitrary messages. It's the same as signing a transaction.

What if I make a malicious TAPSIGNER?

Each TAPSIGNER made by Coinkite carries a certificate, signed by our factory. Like the X.509 certificate chain for OPENDIME®, it can be traced back and verified in the field.

The Python code in cktap will always verify the certificate chain when speaking to TAPSIGNER, and mobile wallets should do the same.

What about an active MiTM attack or relay attack over NFC?

A man-in-the-middle can't change what you're doing with the card. ECDH (Elliptic-curve Diffie-Hellman) is used to encrypt key values like the card verification code (CVC) required to modify the card or view keys. Similarly, all key activities, such as signing a transaction, are ECDH-encrypted and require the CVC.

Still have questions? Contact support: [email protected]

Does "tapping" reveal my public key?

When you tap the TAPSIGNER on a phone it provides a URL for verification purposes, which contains a signature. The URL will typically take you to tapsigner.com/start which decodes it and shows a verification message if it all checks out. This lets you know that a real TAPSIGNER card (not a generic NFC card) is being used, and helps to on-board new users by providing useful links to suitable wallet apps.

That URL does not contain any part of your public key (or XPUB) and cannot be linked to any of your on-chain activity. It is unique for each card.