Run a Notary Server

This guide shows you how to run a notary server in an Ubuntu server instance.

Configure Server Setting

All the following settings can be configured in the config file.

  1. Before running a notary server you need the following files. ⚠️ The default dummy fixtures are for testing only and should never be used in production.

    FilePurposeFile TypeCompulsory to changeSample Command
    TLS private keyThe private key used for the notary server's TLS certificate to establish TLS connections with proversTLS private key in PEM formatYes unless TLS is turned off<Generated when creating CSR for your Certificate Authority, e.g. using Certbot>
    TLS certificateThe notary server's TLS certificate to establish TLS connections with proversTLS certificate in PEM formatYes unless TLS is turned off<Obtained from your Certificate Authority, e.g. Let's Encrypt>
    Notary signature private keyThe private key used for the notary server's signature on the generated transcript of the TLS sessions with proversA K256 elliptic curve private key in PKCS#8 PEM formatYesopenssl genpkey -algorithm EC -out eckey.pem -pkeyopt ec_paramgen_curve:secp256k1 -pkeyopt ec_param_enc:named_curve
    Notary signature public keyThe public key used for the notary server's signature on the generated transcript of the TLS sessions with proversA matching public key in PEM formatYesopenssl ec -in eckey.pem -conv_form compressed -pubout -out eckey.pub

  2. Expose the notary server port (specified in the config file) on your server networking setting

  3. Optionally one can turn on authorization, or turn off TLS if TLS is handled by an external setup, e.g. reverse proxy, cloud setup

Using Cargo

  1. Install required system dependencies
sudo apt-get update && sudo apt-get upgrade
sudo apt-get install libclang-dev pkg-config build-essential libssl-dev
  1. Install rust
curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh
source ~/.cargo/env
  1. Download notary server source code
 mkdir ~/src; cd ~/src
 git clone https://github.com/tlsnotary/tlsn.git
  1. Switch to your desired released version, or stay in the main branch to use the latest version (⚠️ only prover of the same version is supported for now)
git checkout tags/<version>
  1. To configure the server setting, please refer to the Using Cargo section in the repo's readme
  2. Run the server
cd crates/notary/server
cargo run --release

Using Docker

  1. Install docker following your preferred method here
  2. To configure the server setting, please refer to the Using Docker section in the repo's readme
  3. Run the notary server docker image of your desired version (⚠️ only prover of the same version is supported for now)
docker run --init -p 127.0.0.1:7047:7047 ghcr.io/tlsnotary/tlsn/notary-server:<version>

API Endpoints

Please refer to the list of all HTTP APIs here, and WebSocket APIs here.

PSE Development Notary Server

⚠️ WARNING: notary.pse.dev is hosted for development purposes only. You are welcome to use it for exploration and development; however, please refrain from building your business on it. Use it at your own risk.

The TLSNotary team hosts a public notary server for development, experimentation, and demonstration purposes. The server is currently open to everyone, provided that it is used fairly.

We host multiple versions of the notary server:

VersionNotary URLInfo/StatusGitHubNote
v0.1.0-alpha.7https://notary.pse.dev/v0.1.0-alpha.7info/healthv0.1.0-alpha.7Release notes
v0.1.0-alpha.6https://notary.pse.dev/v0.1.0-alpha.6info/healthv0.1.0-alpha.6Release notes
v0.1.0-alpha.5https://notary.pse.dev/v0.1.0-alpha.5info/healthv0.1.0-alpha.5Release notes
nightlyhttps://notary.pse.dev/nightlyinfo/healthdev

For more details on the deployment, refer to this GitHub Action.

To check the status of the notary server, visit the healthcheck endpoint at: https://notary.pse.dev/<version>/healthcheck

WebSocket Proxy Server

Because web browsers don't have the ability to make TCP connections directly, TLSNotary requires a WebSocket proxy to set up TCP connections when it is used in a browser. To facilitate the exploration of TLSNotary and to run the examples easily, the TLSNotary team hosts a public WebSocket proxy server. This server can be used to access the following whitelisted domains:

api.twitter.com:443
twitter.com:443
gateway.reddit.com:443
reddit.com:443
swapi.dev:443
api.x.com:443
x.com:443
discord.com:443
connect.garmin.com:443
uber.com:443
riders.uber.com:443
m.uber.com:443
wise.com:443
coinbase.com:443
accounts.coinbase.com:443
www.agoda.com:443

You can utilize this WebSocket proxy with the following syntax:

wss://notary.pse.dev/proxy?token=<domain>

Replace <domain> with the domain you wish to access (for example, swapi.dev).

Running Notary Server on Windows Subsystem for Linux (WSL)

When running the Notary Server and WebSocket Proxy on Windows Subsystem for Linux (WSL), you may encounter networking issues. In older versions of Windows (prior to Windows 11 22H2), WSL uses a virtual Ethernet adapter with its own IP address, which requires additional firewall configuration.

For Windows Versions Prior to 11 22H2:

  1. Identify the WSL IP Address:
    Run the following command inside the WSL terminal:

    wsl hostname -I

  2. Configure Port Forwarding on the Windows Host:
    To forward traffic from the Windows host to the Notary Server inside WSL, set up port forwarding. Run the following PowerShell command on your Windows host, replacing connectaddress with the WSL IP address you retrieved in the previous step:

    netsh interface portproxy add v4tov4 listenport=7047 listenaddress=0.0.0.0 connectport=7047 connectaddress=192.168.101.100

For Windows 11 22H2 and Later:

In newer versions of Windows (Windows 11 22H2 and above), networking has been simplified with the introduction of mirrored mode. This mode allows WSL instances to share the host’s network interface, eliminating the need for manual port forwarding configurations. You can enable mirrored mode as recommended by Microsoft here.