QUICKSTART/ 02 · ONBOARD
Onboard
Send hands you a one-shot onboarding secret. One CLI command turns it into an authenticated wallet identity with a Canton party on mainnet.
Interactive
bash
cws profile onboard workThe wizard walks you through, in order:
- Network —
mainnetortestnet. - Onboarding secret — the single-use secret Send gave you.
- Signing key — generate a new P-256 keypair (default; secp256k1 also supported), import a PEM/DER file, or paste hex/base64.
- Keystore password — encrypts the keystore with Argon2id + AES-256-GCM. You will be asked again whenever a command needs to sign.
When the wizard exits, the CLI has redeemed the secret, generated or imported a signing key, submitted the topology transactions, and waited until the Canton party is party_active. Your profile is stored under $WALLET_CONFIG (default ~/.config/wallet-cli).
Scripted
For CI and headless agents, supply each prompt as an environment variable and pass --yes to skip every confirmation:
bash
export WALLET_NETWORK=mainnet
export WALLET_ONBOARDING_SECRET="$WALLET_ONBOARDING_SECRET"
export WALLET_PASSWORD="$WALLET_PASSWORD"
cws profile onboard work --yesArgv vs env. Prefer environment variables —
ps(1) leaks argv to other users on multi-user hosts. --password <value> works but prints a warning. Even env is visible to other processes the same user owns; in CI, load secrets from your secret manager of choice directly into the runner.