SDK installation
The AMP2 issuer SDK uses private npm packages for JavaScript and TypeScript. The page explains package access, installation, import patterns, and environment variables.
The AMP2 issuer SDK is distributed as a set of private npm packages (JavaScript/TypeScript). Additional language bindings (Python, Go, and others) are on the roadmap. The packages provide typed request schemas, COSE message handling, key generation utilities, and the Blockstream broadcaster class.
Packages
| Package | Purpose |
|---|---|
@blockstream/cryptic | Blockstream class (COSE encryption/signing), generateUserKeyPairs helper |
@blockstream/ecs-registry | ECS resource action maps (e.g. AuthActions), auth endpoint schemas |
@blockstream/amp-registry | AMP specific Zod request/response schemas (e.g. AmpIssueRequestSchema) |
Access process
- Contact Blockstream to request issuer onboarding.
- Receive npm registry credentials (scoped token or auth token for the private registry).
- Configure your package manager with the registry URL and authentication.
Configure npm authentication
Add the Blockstream registry to your .npmrc:
@blockstream:registry=https://enterprise.blockstream.com/integrations/npm
//enterprise.blockstream.com/integrations/npm/:_authToken=${NPM_TOKEN}For CI/CD environments, set the NPM_TOKEN environment variable in your pipeline secrets.
Install
npm install @blockstream/cryptic @blockstream/ecs-registry @blockstream/amp-registryVerify installation:
node -e "require('@blockstream/cryptic'); console.log('SDK loaded')"Import patterns
The SDK is split across three packages. Import from each based on what you need:
// Broadcaster class and key generation (from @blockstream/cryptic)
import { Blockstream } from '@blockstream/cryptic';
import { generateUserKeyPairs } from '@blockstream/cryptic/utils';
// AMP-specific request/response schemas (from @blockstream/amp-registry)
import {
AmpActions,
AmpIssueRequestSchema,
AmpSendAssetRequestSchema,
AmpSignPsetRequestSchema,
AmpBroadcastRequestSchema,
AmpReissueAssetRequestSchema,
AmpBurnAssetRequestSchema,
AmpLockAssetRequestSchema,
AmpUnlockAssetRequestSchema,
EditAssetWalletRestrictionRequestSchema,
AmpWalletRequestSchema,
} from '@blockstream/amp-registry';
// ECS resource action maps for non-AMP endpoints like auth (from @blockstream/ecs-registry)
import { AuthActions } from '@blockstream/ecs-registry';The broadcastRequest helper
To broadcast your requests you can use Broadcaster from '@blockstream/cryptic/broadcaster' package, see the Making Requests guide for a full implementation example.
Alternatively you can use your own broadcastRequest. You implement it in your project to handle the COSE encrypt-send-decrypt lifecycle:
import { Blockstream } from '@blockstream/cryptic';
async function broadcastRequest<T>(
payload: object,
blockstream: Blockstream,
): Promise<T> {
const encrypted = await blockstream.request(payload);
const res = await fetch(`${ECS_BASE_URL}/request`, {
method: 'POST',
body: encrypted,
headers: { 'Content-Type': 'application/octet-stream' },
});
const bytes = await res.arrayBuffer();
const result = await blockstream.parse<T>(new Uint8Array(bytes));
return result.payload as T;
}TypeScript support
All packages ship with TypeScript types. Use the schema generics with broadcastRequest for type safe request/response handling:
import { AmpActions } from '@blockstream/amp-registry';
const xpubResponse = await broadcastRequest<
typeof AmpActions.xpub
>(
{
action: 'get',
resource: '/amp/xpub',
details: {},
},
broadcaster,
);Each entry in AmpActions is a { request, response } pair of Zod schemas. Passing typeof AmpActions.<key> as the generic argument to broadcastRequest gives you a fully typed response based on the registry definition. For endpoints that don't have a dedicated AmpActions entry (for example /auth/token), provide the response shape inline.
Environment variables
Set up your runtime with these configuration values:
| Variable | Description |
|---|---|
AMP2_API_URL | AMP2 server URL (e.g., https://amp.enterprise.blockstream.com/) |
AMP2_DEVICE_UUID | Device UUID from invite data |
AMP2_RSA_PRIVATE_KEY | Path to or contents of your RSA private key PEM |
AMP2_ECDSA_PRIVATE_KEY | Path to or contents of your ECDSA private key |
AMP2_SERVER_RSA_PUBKEY | Server RSA public key PEM |
AMP2_SERVER_ECDSA_PUBKEY | Server ECDSA compressed hex public key |
Next steps
- Authentication: activate your account using invite data
- Key Management: generate RSA and ECDSA keys
Issuer guide overview
The guide provides the implementation track for issuer teams that integrate the private AMP2 SDK. The page covers account activation through ongoing asset monitoring.
Authentication
AMP2 authentication uses a two-phase process: one-time device authorization with invite data, followed by durable broadcaster creation for subsequent API calls.