This page contains the full Safeheron MPC configuration for Nexus deployment.
When to use
Set MPC_SIGNER=safeheron when you want signing to be handled by Safeheron instead of local private keys.
Key passing mode
Safeheron RSA key fields support both:
PEM content string
local PEM file path
Recommended: use file paths (for example /run/secrets/...) and make sure those files are mounted and readable in your runtime environment.
Required consistency
DOTSWAP_ACCOUNT_ADDRESS and all addresses in POOLS_*, SINGLE_LIQUIDITY_POOLS_*, and TAKERS_* should belong to the same Safeheron accountKey + pubKey derivation set. Otherwise, signing may fail.
Variables (service runtime)
Set the following SAFEHERON_* variables in the running service environment:
MPC_SIGNER=safeheron
SAFEHERON_BASE_URL
SAFEHERON_SIGN_API_KEY
SAFEHERON_SIGN_RSA_PRIVATE_KEY (PEM content or file path)
SAFEHERON_SIGN_SAFEHERON_RSA_PUBLIC_KEY (PEM content or file path)
SAFEHERON_ACCOUNT_API_KEY (optional)
SAFEHERON_ACCOUNT_RSA_PRIVATE_KEY (PEM content or file path, optional)
SAFEHERON_ACCOUNT_SAFEHERON_RSA_PUBLIC_KEY (PEM content or file path, optional)
SAFEHERON_ACCOUNT_KEY
SAFEHERON_PUB_KEY
You can provide PEM content directly for RSA fields, but file paths are recommended for security.
Example (docker-compose runtime environment mode)
If you edit docker-compose.yml environment entries directly, set:
In this manual mode, RSA fields also support direct PEM content.
