Web3Signer Compatible
Drop-in replacement — point your validator client at Containment Chamber and it just works. All 10 Eth2 signing operations, compatible with Lighthouse, Teku, Prysm, Lodestar, and Nimbus. Same API, no client modifications.
Containment Chamber
Drop-in replacement for Web3Signer. Same API, same validator clients — with multi-tenant auth and slashing protection built in.
Features
Section titled “Features”Signing Authorization
Run one signer for multiple validator clients. Each client gets a unique token with per-key and per-operation restrictions. Isolate tenants without client-side changes — just embed the token in the signer URL.
EIP-3076 Slashing Protection
PostgreSQL or DynamoDB for production, with a pluggable backend architecture. Both prevent double-signing — PostgreSQL stores full history with surround detection, DynamoDB uses Hybrid mode (watermarks + signing root records).
Key Manager API
Hot-load and remove EIP-2335 keystores at runtime via /eth/v1/keystores.
Observability
Prometheus metrics on port 3000, OpenTelemetry OTLP tracing, structured logging with request IDs.
Static Binary
Single ~3.5MB binary with zero runtime dependencies. Minimal attack surface — runs on a scratch Docker image with nothing else inside.
Quick Links
Section titled “Quick Links”Configuration Reference
Complete reference for all configuration options, environment variables, and CLI flags. View Reference →
Deployment Guides
Deploy on Kubernetes, Docker, or bare metal with production-ready examples. View Guides →
API Reference
HTTP endpoints, signing operations, request/response schemas, and error codes. View API →
Signing Authorization
Configure per-key, per-operation access control for multi-tenant deployments. Isolate validator clients with unique tokens. View Guide →