KMS (Key Management Service) methods let you query the key management infrastructure used to encrypt CVM environment variables and manage on-chain app contracts. Most applications use the default "phala" KMS type, but the SDK supports querying any available KMS.
GetKMSList
GET /kms
Returns a paginated list of all available KMS servers.
func (c *Client) GetKMSList(ctx context.Context) (*GetKMSListResponse, error)
*GetKMSListResponse — a Paginated[KMSInfo] containing:
| Field | Type | Description |
|---|
Items | []KMSInfo | List of KMS servers |
Total | int | Total count |
Page | int | Current page |
PageSize | int | Items per page |
Pages | int | Total pages |
KMSInfo contains:
| Field | Type | Description |
|---|
ID | string | KMS identifier |
Slug | *string | URL-friendly slug |
URL | string | KMS server URL |
Version | string | KMS version |
ChainID | *int | Blockchain chain ID (for on-chain KMS) |
KMSContractAddress | *string | On-chain KMS contract address |
kmsList, err := client.GetKMSList(ctx)
if err != nil {
log.Fatal(err)
}
for _, kms := range kmsList.Items {
fmt.Printf("KMS: %s (version: %s)\n", kms.ID, kms.Version)
}
GetKMSInfo
GET /kms/{kmsId}
Returns detailed information about a specific KMS server.
func (c *Client) GetKMSInfo(ctx context.Context, kmsID string) (*KMSInfo, error)
| Field | Type | Required | Description |
|---|
kmsID | string | Yes | KMS identifier |
*KMSInfo
kms, err := client.GetKMSInfo(ctx, "phala")
if err != nil {
log.Fatal(err)
}
fmt.Printf("KMS URL: %s\n", kms.URL)
GetAppEnvEncryptPubKey
GET /kms/{kmsType}/pubkey/{appId}
Returns the public key used to encrypt environment variables for a specific app. You need this key to encrypt env vars before passing them to UpdateCVMEnvs or CommitCVMProvision.
func (c *Client) GetAppEnvEncryptPubKey(ctx context.Context, kmsType, appID string) (*AppEnvPubKeyResponse, error)
| Field | Type | Required | Description |
|---|
kmsType | string | Yes | KMS type (e.g., "phala") |
appID | string | Yes | Application identifier |
*AppEnvPubKeyResponse (generic map containing the public key)
pubkey, err := client.GetAppEnvEncryptPubKey(ctx, "phala", "app-abc123")
if err != nil {
log.Fatal(err)
}
The encryption public key is specific to each app and KMS combination. Always fetch a fresh key before encrypting environment variables.
GetKMSOnChainDetail
GET /kms/on-chain/{chain}
Returns on-chain details for a KMS on a specific blockchain, including contract addresses, registered devices, and OS images.
func (c *Client) GetKMSOnChainDetail(ctx context.Context, chain string) (*KMSOnChainDetail, error)
| Field | Type | Required | Description |
|---|
chain | string | Yes | Chain name (e.g., "base") |
*KMSOnChainDetail containing:
| Field | Type | Description |
|---|
ChainName | string | Blockchain name |
ChainID | int | Blockchain chain ID |
Contracts | []OnChainKMSContract | List of KMS contracts with devices and OS images |
detail, err := client.GetKMSOnChainDetail(ctx, "base")
if err != nil {
log.Fatal(err)
}
fmt.Printf("Chain: %s (ID: %d), Contracts: %d\n", detail.ChainName, detail.ChainID, len(detail.Contracts))
NextAppIDs
GET /kms/phala/next_app_id
Returns the next available app IDs for provisioning. Useful when you need to reserve an app ID before deployment.
func (c *Client) NextAppIDs(ctx context.Context) (*NextAppIDsResponse, error)
*NextAppIDsResponse (generic map)
nextIDs, err := client.NextAppIDs(ctx)
if err != nil {
log.Fatal(err)
}
