Skip to main content
The Server SDK is currently experimental and not ready for production use. Reach out to partnerships@phantom.com for access.

Overview

This guide demonstrates how to integrate the @phantom/server-sdk into your application for secure wallet management and transaction signing.

Critical security information

The private key for your organization is meant to be stored only on your server, in a secure environment.
  • Never expose this key in client-side code.
  • Never commit it to version control.
  • Store it securely using environment variables or secret management systems.

Backend integration

When integrating the SDK into your backend, it’s important to maintain the relationship between your users and their wallets.

Key requirements

  1. Always store the wallet ID in your database immediately after creation.
  2. Associate each wallet with a user ID to maintain ownership.
  3. Use meaningful wallet names (for example, user_${userId}) for easier recovery.

Database schema

The following is an example using Prisma:

Complete API example

The following is a production-ready Express API with proper wallet management:

Best practices

Wallet management

  • Always use meaningful wallet names: Use identifiers like user_${userId} or org_${orgId}_wallet_${timestamp} to make wallet recovery easier.
  • Store wallet IDs immediately: As soon as you create a wallet, persist the walletId in your database. This is critical for accessing the wallet later.
  • Maintain wallet-user relationships: Always associate wallets with user accounts in your database to ensure proper ownership tracking.

Error handling

  • Implement retry logic: Network requests can fail. Implement exponential backoff for transient failures.
  • Log errors comprehensively: Log both the error message and any response data for debugging.
  • Handle specific error cases: Different errors require different handling (for example, insufficient balance vs network errors).

Performance

  • Cache wallet addresses: After fetching addresses, cache them to reduce API calls.
  • Use pagination: When listing wallets, always use pagination to handle large datasets efficiently.
  • Batch operations: If you need to perform multiple operations, consider batching where possible.

Transaction management

  • Always verify transactions: After signing and sending, always wait for confirmation.
  • Implement timeout handling: Set reasonable timeouts for transaction confirmations.
  • Store transaction history: Keep records of all transactions for audit trails.

Security considerations

API key management

Environment security

  • Use secret management services: In production, use services like AWS Secrets Manager, HashiCorp Vault, or similar.
  • Rotate keys regularly: Implement a key rotation strategy.
  • Limit key access: Only give access to the private key to services that absolutely need it.
  • Monitor API usage: Set up alerts for unusual API activity.

Database security

  • Encrypt sensitive data: Consider encrypting wallet IDs and user associations at rest.
  • Use database access controls: Implement proper RBAC for database access.
  • Audit wallet operations: Log all wallet creation and transaction operations.

API security

  • Implement rate limiting: Protect your endpoints from abuse.
  • Use authentication: Require proper authentication for all wallet operations.
  • Validate all inputs: Never trust client-provided data.
  • Use HTTPS only: Ensure all API communications are encrypted.

Next steps

Disclaimers

The Server SDK is a beta version, and Phantom will not be liable for any losses or damages suffered by you or your end users. Any suggestions, enhancement requests, recommendations, or other feedback provided by you regarding the Server SDK will be the exclusive property of Phantom. By using this beta version and providing feedback, you agree to assign any rights in that feedback to Phantom.