Go-Live Checklist
Follow these steps to transition from sandbox to production.
1. Deploy Your Cosigner
Run the MPC cosigner on your infrastructure — Docker with optional AWS Nitro Enclave. Connect it to the Carabaas Coordinator over TLS.
- Set up a server meeting the infrastructure requirements
- Deploy with Docker Compose (deployment guide)
- For production, enable AWS Nitro Enclave for hardware isolation
- Configure TLS certificates for the HTTPS management interface
2. Initialize and Unseal
- Complete the cosigner initialization ceremony
- Distribute unseal keys to 3 designated key holders
- Backup encrypted share files — there is no other recovery path
- Verify 2-of-3 unseal works correctly
- Connect the cosigner to your organization via invite code
3. Set Up Vaults and Roles
- Create your organization
- Spin up vaults (per business unit, per client, or hot/cold split)
- Set quorum thresholds for each vault
- Assign roles — OrgAdmin, VaultAdmin, Operators, Approvers, Viewers
- Test role-based access restrictions
4. Generate Addresses
- Payments: one address per customer order
- Treasury: addresses per network
- Use
@eth-likefor a single address across all EVM chains
5. Handle Deposits
- Subscribe to the incoming webhook stream
- Configure confirmation thresholds per network
- Match deposits to orders by address
- Track confirmations and multi-asset balance changes
- Test end-to-end deposit flow on testnet
6. Handle Withdrawals
- Create transactions via API
- Wire up approvals (RSA signature or UI)
- Listen to the outgoing stream for status updates — approval, signing, broadcast, confirmation
- Handle
warningnotifications for insufficient balance (platform retries for 72h) - Test end-to-end withdrawal flow on testnet
7. Reporting
- Pull historical balance snapshots via the statements API
- Query transactions with balance changes for reconciliation
- Set up audit log export for compliance
Pre-Production Checklist
Infrastructure
| Item | Status |
|---|---|
| Cosigner deployed and connected | ☐ |
| AWS Nitro Enclave enabled | ☐ |
| TLS certificates configured (CA-signed) | ☐ |
| EBS volume encrypted (KMS CMK) | ☐ |
| Server access restricted (SSH + 3443 only) | ☐ |
| Cosigner monitoring / alerting active | ☐ |
Security
| Item | Status |
|---|---|
| Unseal keys distributed to 3 key holders | ☐ |
| Unseal key holders use separate password managers | ☐ |
| Encrypted share files backed up securely | ☐ |
| RSA signing key stored securely (HSM or secret manager) | ☐ |
| JWT rotation configured | ☐ |
| Key recovery process documented | ☐ |
Application
| Item | Status |
|---|---|
| Vaults created with quorums | ☐ |
| Roles and permissions assigned | ☐ |
| Addresses generated | ☐ |
| Webhook subscriptions active | ☐ |
| Deposit flow tested end-to-end | ☐ |
| Withdrawal flow tested end-to-end | ☐ |
| Approval flow tested end-to-end | ☐ |
| Error handling implemented | ☐ |
| Reconciliation pipeline ready | ☐ |
| Rate limits understood | ☐ |
tip
Start in sandbox. Every step works end-to-end on testnet before you go live.