Upvest defines the notion of ‘tenants’, which represent customers that build their platform upon the Upvest API. The end-users of the tenant (i.e. your customers), are referred to as ‘clients’. A tenant is able to manage their users directly (CRUD operations for the user instance) and is also able to initiate actions on the user's behalf (create wallets, send transactions).
Upvest integrates blockchain protocols into their tech stack and exposes access to the functionality of those protocols to their tenants via an easy-to-use and documented set of API calls.
A tenant is able to register an account with Upvest under account.upvest.co. The tenant usually represents a business which is integrating the Upvest API to offer blockchain-backed services to their users.
A client is a user of the tenant, utilizing Upvest software indirectly, via interacting with the tenant's platform. Although the tenant can initiate actions on the user’s behalf, any actions that require access to the user’s wallet (i.e. transactions, signing) will require the involvement of the user using their password.
At a high level, the Upvest platform can be divided into three parts. It consists of the API layer, the Upvest Wallet Management layer as well as the Upvest Enclave.
Let's take a look at a working example of the technical architecture along with the example of sending a transaction:
The tenant's user submits his password and the relevant transaction information on the tenant's front-end which triggers an API call directly to Upvest from their browser.
The Upvest API is the customer (tenant) and end-user (client) facing product. It validates incoming transaction requests and passes them on for processing as well as steering the response back to the requesting entity (in this case the requesting user’s browser).
Upon authenticating the user and validating their transaction request, the request is passed to the Wallet Management layer which retrieves the user’s encrypted wallet material from the Upvest data store. A first level of processing is performed using a Hardware Security Module (HSM), before passing the wallet data and transaction information to the Upvest Enclave.
The Upvest Enclave is an extremely small and hardened bare-kernel processing environment. It is the only part of the Upvest platform where decrypted wallet private keys exist, and solely for the purpose of signing transaction requests.
The Upvest Enclave derives the user’s wallet decryption key from their password, decrypts the user wallet, validates and signs the requested transactions, and returns the signed payload to the Wallet Management layer, which passes the signed payload to back-end blockchain nodes for broadcast.