EOSJS Major Update V20.0.0 Beta: Entrusting key management to signature providers for a more secure future of javascript development for EOSIO eosio Follow Oct 4, 2018 · 4 min read

Since release of the EOSIO software platform in June, EOSJS has been the most well-received community-driven library for connecting your frontend application with an EOSIO blockchain. With more than 65,000 downloads of the npm package and widespread utilization across many great EOSIO-based projects, it’s fair to say the first iterations of EOSJS have been a success. This was due to the hard work of many well-known members of the community, like James Calfee, whom we are excited to have worked closely with through the initial release of EOSIO.

Over the past few months we’ve studied usage of EOSJS in many community applications as well as our own projects in development at Block.one. The primary conclusion we’ve come to is that to create great user experiences and maintain the highest levels of security, blockchain applications should almost never need to access a user’s private keys. Instead, applications should propose transactions to secure signature providers like wallets or application browsers that are able to focus their efforts on storing keys in the most secure ways possible and provide a consistent user experience when signing transactions.

Introducing Signature Providers

Today we are happy to announce a major update, EOSJS v20.0.0, with built-in support for interchangeable signature providers. This shift is great for application developers because it removes the burden of handling secure key management from their scope and improves interoperability because applications can be built on the new EOSJS API and work with any EOSJS signature provider. Most importantly, it is a major security improvement that limits exposure of a user’s keys across many applications to a single trusted signature provider that they can choose for themselves. This mitigates potential risks that can arise from malicious code or user error when using blockchain applications.

We are releasing EOSJS v20.0.0 as a beta release to make sure it’s tested by the community well enough to be promoted to a stable release.

By aligning as a community around recommended ways to manage keys across all types of applications, we can begin to propose standards for application development that will enhance the usability and security of products built on EOSIO. In the future, this could even allow for trusted signature providers to create whitelists of actions and more user-friendly control akin to a permissions system or privacy settings in a non-blockchain application.

Additional Changes in EOSJS V20.0.0-beta.1

In addition to the foundational change in the way keys are managed going forward, we’ve proposed some additional changes to simplify and improve usability for developers, including:

Strict Typing using Typescript

Improved Error Handling

Fewer Dependencies

Simplified API

What does this mean for EOSIO users?

Once adopted, popular wallets and app browsers will be able to act as signature providers for blockchain applications.

Choose and become familiar with your preferred signature provider that can be used across many blockchain applications.

Start becoming familiar with the concept of signing actions outside of the application you’re using and urge application developers to support your provider of choice.

What does this mean for EOSIO developers?

Once adopted, signature providers will lighten the burden of handling secure key management in your application

Easily integrate interoperably with any EOSJS signature provider

Upgrade to the latest version of EOSJS V20.0.0-beta.1. This is a breaking change, but the upgrade process is very simple. Make sure that if you choose not to update you have version locking in your package.json locked down to v16.0.8 like this: “eosjs”: “16.0.8”

Encourage wallets and application browsers to implement the EOSJS signature provider interface to be compatible with your application.

Updated documentation is viewable here.

We are excited for the future of a more secure and connected world on the EOSIO blockchain. Going forward we plan to formalize the release schedule and goals for the EOSJS library. In addition to EOSJS V20.0.0-beta.1 release notes and documentation we will provide easy-to-digest summaries of the features and benefits of each future major release of EOSJS, as we do for each EOSIO version.