Getting Started
Set up a new Stratos Vault instance using stratos-init.
Prerequisites
- Node.js 18+ installed
- Wrangler CLI installed and authenticated (
npm i -g wrangler && wrangler login) - Cloudflare account with Pages and D1 access
- Canton participant reachable (directly or via tunnel)
Installation with stratos-init
The stratos-init toolkit provisions a fully isolated Stratos Vault instance in a single interactive session.
Run the Wizard
cd stratos-init
./scripts/init-instance.shThe wizard prompts for:
| Prompt | Example | Description |
|---|---|---|
| Cloudflare account | Select from list | Which Cloudflare account to deploy to |
| Instance name | prod, client-acme | Used for folder and database naming |
| Target directory | ../wallet-prod | Where the instance files will live |
| Organization name | Acme Corp | Displayed in the wallet UI |
| Theme | purple, teal, blue | UI color theme |
| RP ID | wallet.acme.com | Your domain (required for WebAuthn) |
| RP Name | Acme Wallet | Display name for passkey prompts |
| Splice Host | p2.cantondefi.com | Canton Splice validator |
| Canton JSON Host | p2-json.cantondefi.com | Canton JSON API endpoint |
| Canton Auth Secret | (hidden) | JWT signing secret |
| Superadmin username | admin | Initial superadmin login |
| Superadmin password | (hidden) | Initial superadmin password |
What It Creates
The script performs 7 automated steps:
[1/7] Copying project files to ../wallet-prod/
[2/7] Creating D1 database 'wallet-prod'...
[3/7] Generating wrangler.toml...
[4/7] Applying database schema...
[5/7] Creating superadmin user...
[6/7] Seeding default assets and RPC endpoints...
[7/7] Installing npm dependencies...After completion, you have a ready-to-deploy instance:
wallet-prod/
├── wrangler.toml # Instance configuration
├── schema.sql # Database schema
├── src/ # Frontend source
├── functions/ # API endpoints
├── scripts/ # Utility scripts
└── package.jsonThe wizard then offers to build and deploy immediately.
Deploy an Existing Instance
cd wallet-prod
./scripts/deploy.shThis builds (npm run build) and deploys to Cloudflare Pages.
Canton Connectivity
If your Canton participant is on a private network, expose it via Cloudflare Tunnel:
./SETUP_TUNNEL.sh| Option | Use Case |
|---|---|
| Quick Tunnel | Temporary URL for testing — starts immediately |
| Named Tunnel | Persistent production tunnel with custom domain |
For named tunnels, the script:
- Authenticates with Cloudflare
- Creates a tunnel (
canton-tunnel) - Configures ingress rules for port 2903
- Routes DNS to your domain
After setup, update SPLICE_HOST in wrangler.toml to the tunnel domain.
First Login
Navigate to your instance URL and access the superadmin panel:
https://wallet.acme.com → Superadmin loginUse the credentials you set during init-instance.sh. If using defaults, login with superadmin / admin123! and change the password immediately.
Multiple Instances
Run separate instances for different environments or clients:
# Production
./scripts/init-instance.sh # Enter: prod
# Staging
./scripts/init-instance.sh # Enter: staging
# Result:
# ../wallet-prod/
# ../wallet-staging/Each instance has its own D1 database, configuration, domain, and Cloudflare Pages project — fully isolated.
Updating an Instance
To deploy code updates:
cd wallet-prod
git pull origin main # Get latest code
npm install # Update dependencies
npm run build # Build
wrangler pages deploy dist # DeploySchema migrations (when new tables are added):
wrangler d1 execute wallet-prod --remote --file=schema.sqlSecurity Checklist
After initial setup:
- [ ] Change default superadmin password
- [ ] Limit
is_superadminprivilege to essential staff only - [ ] Configure production RPC endpoints (replace defaults)
- [ ] Set
RP_IDto your production domain - [ ] Store API keys (
cwp_*) securely — they cannot be retrieved - [ ] Review audit logs regularly for unusual activity
- [ ] Set appropriate rate limits on API endpoints
Next Steps
- Administration — Admin panel walkthrough
- Deployment Model — Architecture and scaling
- Security — Security architecture deep-dive