Accounts that require two or more keys to sign a transaction (requiring a certain permission), commonly referred to as multisignature accounts, are generally used to store funds securely and are without a doubt a very exciting EOSIO feature. But how do multisignature accounts work, how do you sign transactions with different keys and how can you set up a multisignature account yourself? We will explain all aspects of multisignature accounts on WAX in this article.

Permissions structure in a default WAX account

Before we start explaining advanced permissions structures, it is important to understand the permissions structure of a default WAX account first. We will explain this below.

Every user has one or more accounts on the WAX blockchain. WAX accounts are human-readable identifiers that are stored on the blockchain and they are required to push any (valid) transaction to the WAX blockchain.

Every WAX account has permissions. Permissions can be seen as requirements which need to be fulfilled in order for a transaction to go through. Each permission has certain actions associated with it. A default WAX account has 2 native permissions:

Owner: shows ownership of the account and is needed to make any changes to the ownership the account. The private key for this permission is best kept (safely) offline, as it is not needed to do most things on the WAX network.

Active: used for transferring funds, voting for producers and making other high-level account changes.

Besides these 2 native permissions you can create new, custom, permissions that fit your needs.

Each permission has one key associated with it. Each key associated with a permission has a certain weight, and each permission has a certain weight threshold which needs to be met before a transaction requiring that permission is accepted.

Visualization of a default permissions structure. (Source: EOSIO Developer Portal)

To help you understand all of this information we have included the above image, which visualizes the permissions structure of a default WAX account. As you can see, the owner permission has a default threshold of 1, and 1 key with a weight of 1 associated with it. The same goes for the active permission which has a default threshold of 1, and 1 key with a weight of 1 associated with it. This means that only the (private) key associated with the owner or active permission is required to perform any transaction requiring the owner or active permission, respectively.

The (private) key associated with the owner permission is often referred to as the owner key, whereas the (private) key associated with the active permission is often referred to as the active key.

Each permission also has a parent permission. The parent permission is able to change the keys of its child permissions. In a default WAX account the owner permission is the parent permission of the active permission. This means that any key(s) associated with the owner permission can change the key(s) associated with the active permission, but not the other way around. The key(s) associated with the owner permission can also change the keys associated with the owner permission.

How multisignature WAX accounts work

Now you are familiar with (the permissions structure of) default WAX accounts, it’s time to learn about multisignature WAX accounts. Multisignature WAX accounts function similar to default WAX accounts, the main difference between the two is the permissions structure. In a default WAX account all permissions have a threshold of 1 and only have 1 key with a weight of 1 associated with it, whereas the permissions in a multisignature WAX account have a threshold of 2 or higher and have multiple keys or account permissions with (possibly) varying weights associated with them. This also means that multiple keys or account permissions will have to sign any transaction from the multisignature WAX account.

Visualization of a multisignature permissions structure. (Adapted from: EOSIO Developer Portal)

An example of a possible permissions structure in a multisignature WAX account can be seen in the image above. Just like the default account described earlier, this account has both the owner and active permission.

However, the owner permission in this multisignature account has a threshold of 3 and has 3 keys associated with it: The active key from John’s account, which has a weight of 2, the active key from Bob’s account, which has a weight of 1 and the active key from Stacy’s account, which also has a weight of 1. This means that to execute any transaction requiring the owner permission, both John’s active key and either Bob’s or Stacy’s active key would have to sign the transaction before it can be executed.

The active permission in this multisignature account has a threshold of 2 and has 3 keys associated with it. The active key from John’s account, which has a weight of 1, the active key from Bob’s account, which has a weight of 1 and the active key from Stacy’s account, which also has a weight of 1. This means that to execute any transaction requiring the active permission (any combination) of 2 of the active keys would have to sign the transaction before can be executed.

Creating a multisignature WAX account

Now you are familiar with how multisignature accounts, it’s time to learn how to create a multisignature account yourself. Before you are able to create a multisignature account, you need to have/create a default WAX account first, which you will then turn into a multisignature account. If you do not have an account yet, you can follow our guide on how to create one here.

Once you have an account, you can continue by importing your account into Scatter. If you don’t have the keys of your account in Scatter yet, you can follow the official instructions here.

Keep in mind that changing the permissions structure of your account might render your account inaccessible and unrecoverable, proceed with caution.

In this example we will create an account which can be shared with a friend. It will have the following permissions structure:

Permissions structure of our example account. (Adapted from: EOSIO Developer Portal)

In this example the owner permission has a threshold of 2 and has 2 account permissions with a weight of 1 associated with it. The key associated with the owner permission of your own account and the key associated with the owner permission of your friend’s account. This means that in order to perform any transaction requiring the owner permission both you and your friend would have to sign the transaction with their owner key before it can be executed.

The active permission also has a threshold of 2 and has 2 keys with a weight of 1 associated with it. The key associated with the active permission of your own account and the key associated with the active permission of your friend’s account. This means that in order to perform any transaction requiring the active permission both you and your friend would have to sign the transaction with their active key before it can be executed.

Let’s start updating the permissions structure to turn this account into a multisignature account. We will be using Bloks for this tutorial.

Connecting the right permission to Bloks

Go to the top right of the page and click login (make sure Scatter is open and unlocked), then select ‘Scatter’. After doing so, Scatter will open a menu where you are able to choose which permission on which account you would like to connect. Choose the owner permission of the account and click ‘Allow’, as can be seen in the image on the left.

After you have connected the right permission of your account, navigate to ‘Wallet’, then ‘Keys and Permissions’, then click ‘Advanced’.