Run a Notary Server

This guide shows you how to run a notary server in an Ubuntu server instance.

Configure Server Setting

All the following settings can be configured in the config file.

  1. Before running a notary server you need the following files. The default dummy fixtures are for testing only and should never be used in production.

    FilePurposeFile TypeCompulsory to changeSample Command
    TLS private keyThe private key used for the notary server's TLS certificate to establish TLS connections with proversTLS private key in PEM formatYes unless TLS is turned off<Generated when creating CSR for your Certificate Authority, e.g. using Certbot>
    TLS certificateThe notary server's TLS certificate to establish TLS connections with proversTLS certificate in PEM formatYes unless TLS is turned off<Obtained from your Certificate Authority, e.g. Let's Encrypt>
    Notary signature private keyThe private key used for the notary server's signature on the generated transcript of the TLS sessions with proversA P256 elliptic curve private key in PKCS#8 PEM formatYesopenssl genpkey -algorithm EC -out eckey.pem -pkeyopt ec_paramgen_curve:P-256 -pkeyopt ec_param_enc:named_curve
    Notary signature public keyThe public key used for the notary server's signature on the generated transcript of the TLS sessions with proversA matching public key in PEM formatYesopenssl ec -in eckey.pem -pubout -out eckey.pub

  2. Expose the notary server port (specified in the config file) on your server networking setting

  3. Optionally one can turn on authorization, or turn off TLS if TLS is handled by an external setup, e.g. reverse proxy, cloud setup

Using Cargo

  1. Install required system dependencies
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install libclang-dev pkg-config build-essential libssl-dev
  1. Install rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
  1. Download notary server source code
 mkdir ~/src; cd ~/src
 git clone https://github.com/tlsnotary/tlsn.git
  1. Switch to your desired released version, or stay in the dev branch to use the latest code (⚠️ only prover of the same version is supported for now)
git checkout tags/<version>
  1. To configure the server setting, please refer to the Using Cargo section in the repo's readme
  2. Run the server
cd tlsn/notary-server
cargo run --release

Using Docker

  1. Install docker following your preferred method here
  2. To configure the server setting, please refer to the Using Docker section in the repo's readme
  3. Run the notary server docker image of your desired version (⚠️ only prover of the same version is supported for now)
docker run --init -p 127.0.0.1:7047:7047 ghcr.io/tlsnotary/tlsn/notary-server:<version>

API Endpoints

Please refer to the list of all HTTP APIs here, and WebSocket APIs here.

PSE Development Notary Server

⚠️ WARNING: notary.pse.dev is hosted for development purposes only. You are welcome to use it for exploration and development; however, please refrain from building your business on it. Use it at your own risk.

The TLSNotary team hosts a public notary server for development, experimentation, and demonstration purposes. The server is currently open to everyone, provided that it is used fairly.

We host multiple versions of the notary server:

VersionNotary URLInfo/StatusGitHubNote
v0.1.0-alpha.5https://notary.pse.dev/v0.1.0-alpha.5info/healthv0.1.0-alpha.5Release notes
(deprecated)https://notary.pse.devinfo/healthv0.1.0-alpha.4This url will be removed when alpha.6 is released
v0.1.0-alpha.4https://notary.pse.dev/v0.1.0-alpha.4info/healthv0.1.0-alpha.4Release notes
v0.1.0-alpha.3https://notary.pse.dev/v0.1.0-alpha.3info/healthv0.1.0-alpha.3Release notes
nightlyhttps://notary.pse.dev/nightlyinfo/healthdev

For more details on the deployment, refer to this GitHub Action.

To check the status of the notary server, visit the healthcheck endpoint at: https://notary.pse.dev/<version>/healthcheck

WebSocket Proxy Server

Because web browsers don't have the ability to make TCP connections directly, TLSNotary requires a WebSocket proxy to set up TCP connections when it is used in a browser. To facilitate the exploration of TLSNotary and to run the examples easily, the TLSNotary team hosts a public WebSocket proxy server. This server can be used to access the following whitelisted domains:

api.twitter.com:443
twitter.com:443
gateway.reddit.com:443
reddit.com:443
swapi.dev:443

You can utilize this WebSocket proxy with the following syntax:

wss://notary.pse.dev/proxy?token=<domain>

Replace <domain> with the domain you wish to access (for example, swapi.dev).