The GDS is a collection of three APIs and several background services backed by a global TrtlDB data store. A single GDS node implements the TRISA Directory gRPC API, the secure TRISA Members gRPC API, and the Admin REST API that powers the Admin UI. It also runs the CertMan process that issues and collects certificates from Sectigo. Its environment variables are all prefixed with the GDS_ tag. The primary configuration is as follows:

GDS_DIRECTORY_IDstringvaspdirectory.netThe network ID the GDS serves, either or (or .dev).
GDS_SECRET_KEYstringA base64 encoded random 32 byte array that is used for salts and random seeds - required.
GDS_MAINTENANCEboolfalseSets the server to maintenance mode, which will respond to requests with Unavailable except for status requests.
GDS_LOG_LEVELstringinfoThe verbosity of logging, one of trace, debug, info, warn, error, fatal, or panic.
GDS_CONSOLE_LOGboolfalseIf true will print human readable logs instead of JSON logs for machine consumption.


The primary GDS API (the gRPC TRISA Directory service) is configured as follows:

GDS_API_ENABLEDbooltrueIf false, disables the TRISA Directory service.
GDS_BIND_ADDRstring:4433The IP address and port to bind the GDS gRPC server to.

Note that the enabled flag is only respected if GDS_MAINTENANCE is false, otherwise maintenance mode supersedes service enabled flags.

Admin API

The Admin API (a REST API that powers the Admin UI) is configured as follows:

GDS_ADMIN_ENABLEDbooltrueIf false, disables the Admin API service.
GDS_ADMIN_BIND_ADDRstring:4434The IP address and port to bind the Admin API http server to.
GDS_ADMIN_MODEstringreleaseSets the Gin mode, one of debug, release, or test.
GDS_ADMIN_ALLOW_ORIGINS[]stringhttp://localhost,http://localhost:3000A list of allowed origins for the CORS middleware to accept.
GDS_ADMIN_COOKIE_DOMAINstringThe domain to set secure cookies for (particularly for CSRF and authentication).
GDS_ADMIN_AUDIENCEstringThe audience to set and verify in JWT tokens issued by the Admin API.
GDS_ADMIN_OAUTH_GOOGLE_AUDIENCEstringThe audience from the Google OAuth config to verify Google login tokens.
GDS_ADMIN_OAUTH_AUTHORIZED_EMAIL_DOMAINS[]stringThe list of authorized email domains to allow access to the admin UI (e.g.
GDS_ADMIN_TOKEN_KEYSmap[string]stringA mapping of key id (ksuid/ulid) to the path to an RSA signing key in PEM format for JWT token signing.

Note that the enabled flag is only respected if GDS_MAINTENANCE is false, otherwise maintenance mode supersedes service enabled flags.

Members API

The Members API is a gRPC API that is secured by TRISA, verified by mTLS, and is configured as follows:

GDS_MEMBERS_ENABLEDbooltrueIf false, disables the Members API service.
GDS_MEMBERS_BIND_ADDRstring:4435The IP address and port to bind the Members gRPC server to.
GDS_MEMBERS_INSECUREboolfalseIf set do not enable mTLS authentication.
GDS_MEMBERS_CERTSstringThe path to the mTLS server-side certs for server auth.
GDS_MEMBERS_CERT_POOLstringThe path to the mTLS public cert pools to accept incoming connections.

Note that the enabled flag is only respected if GDS_MAINTENANCE is false, otherwise maintenance mode supersedes service enabled flags. If GDS_MEMBERS_INSECURE is false, then GDS_MEMBERS_CERTS and GDS_MEMBERS_CERT_POOL are required.


The GDS makes use of a globally replicated key-value store for persistence. By default it uses the TrtlDB for this, but for testing or smaller deployments it can use a local LevelDB database instead. The database store is configured as follows:

GDS_DATABASE_URLstringRequired, the DSN to connect to the database on (see below for details).
GDS_DATABASE_REINDEX_ON_BOOTboolfalseWhen the server starts, instead of loading indexes from disk, recreate and save them.
GDS_DATABASE_INSECUREboolfalseIf set do not connect to the TrtlDB with mTLS authentication.
GDS_DATABASE_CERT_PATHstringThe path to the mTLS client-side certs for database auth.
GDS_DATABASE_POOL_PATHstringThe path to the mTLS public cert pools to accept server connections.

The GDS_DATABASE_URL is a standard DSN with a scheme, host, path, and query parameters. In the case of the GDS the scheme can be either trtl:// or leveldb://.

When connecting to a TrtlDB, the host and port need to be specified with a trailing slash, e.g. trtl://localhost:4436/. Connecting via mTLS is only relevant when connecting to a TrtlDB. If GDS_DATABASE_INSECURE is false, then the GDS_DATABASE_CERT_PATH and GDS_DATABASE_POOL_PATH are required.

When connecting to a LevelDB, the path to the directory on disk where the leveldb should be stored must be passed to the DSN. To specify a relative path, use three slashes: leveldb:///relpath/to/db, to specify an absolute path use four: leveldb:////abspath/to/db.

Email and SendGrid

The GDS uses SendGrid to send email notifications and to enable communication workflows with users and admins. Configure GDS to use SendGrid as follows:

GDS_SERVICE_EMAILstringTRISA Directory Service admin@vaspdirectory.netThe email address used as the sender for all emails from the GDS system.
GDS_ADMIN_EMAILstringTRISA Admins admin@trisa.ioThe email address to send admin emails to from the server.
SENDGRID_API_KEYstringAPI Key to authenticate to SendGrid with. The network ID the GDS serves, either or (or .dev).
GDS_VERIFY_CONTACT_URLstring base URL to include in emails for contact verification.
GDS_ADMIN_REVIEW_URLstring base URL to include in emails to link to a new VASP registration.
GDS_EMAIL_TESTINGboolfalseUse email in testing mode rather than send live emails.
GDS_EMAIL_STORAGEstring""Directory to store test emails for “mark one eyeball” review.

SendGrid is considered enabled if the SendGrid API Key is set. The service and admin email addresses are required if SendGrid is enabled.


The CertMan is a background process that runs on the GDS and manages certificate requests, interacts with Sectigo, and finalizes the VASP registration process. It is configured as follows:

GDS_CERTMAN_ENABLEDbooltrueIf false, disables the CertMan background process.
GDS_CERTMAN_REQUEST_INTERVALduration10mThe interval between certificate request processing runs.
GDS_CERTMAN_REISSUANCE_INTERVALduration24hThe interval between certificate reissuance processing runs.
GDS_CERTMAN_STORAGEstringThe path to a directory on disk where CertMan temporarily downloads certificates (otherwise a tmp dir is used). The network ID the GDS serves, either or (or .dev).
SECTIGO_USERNAMEstringThe username to authenticate with the Sectigo API.
SECTIGO_PASSWORDstringThe password to authenticate with the Sectigo API.
SECTIGO_PROFILEstringThe certificate profile to use (see below for details).
SECTIGO_ENDPOINTstringThe endpoint to connect to Sectigo on (leave blank for production).
SECTIGO_TESTINGboolIf Sectigo is in testing mode it will not make actual Sectigo requests.

Note that CertMan also needs valid email (SendGrid) and Google Secrets configurations if it is enabled.

The Sectigo username, password, and profile are required if the Sectigo config is not in testing mode. The profile must be a valid certificate profile, which can be either “CipherTrace EE” for the TestNet or “CipherTrace End Entity Certificate” for the MainNet. These profiles determine what parameters must be sent to Sectigo to make certificate requests, and what is populated on the certificate (including what intermediate authority is used) when it is generated.

Do not set the SECTIGO_ENDPOINT unless you’re in testing, development, or staging mode and are pointing it to a local cathy server.


The Backup manager is only available when the GDS is using the LevelDB database store. It is a background process that clones the database into a zipped folder on disk that can be downloaded for backup purposes.

GDS_BACKUP_ENABLEDboolfalseIf true, enables the backup background process.
GDS_BACKUP_INTERVALduration24hThe interval between database backups.
GDS_BACKUP_STORAGEstringThe path on disk to store database backups (required if enabled).
GDS_BACKUP_KEEPint1The number of backups to keep before cleaning up old backups.

Backups should not be enabled when using the TrtlDB database store! If the backups are enabled then the storage path is required.

Google Secrets

GDS uses Google Secret Manager to store certificates and PKCS12 passwords and other sensitive information to ensure that it is encrypted and secure. Access to Google Secret Manager is configured as follows:

GOOGLE_APPLICATION_CREDENTIALSstringPath to the JSON credentials for the Google Service Account that has access to Google Secret Manager.
GOOGLE_PROJECT_NAMEstringName of the Google Project for API access to Google Secret Manager.
GDS_SECRETS_TESTINGboolfalseIf set to true, uses a local in-memory “secret store” for testing and development.



The GDS uses Sentry to assist with error monitoring and performance tracing. Configure GDS to use Sentry as follows:

GDS_SENTRY_DSNstringThe DSN for the Sentry project. If not set then Sentry is considered disabled.
GDS_SENTRY_SERVER_NAMEstringOptional - a server name to tag Sentry events with.
GDS_SENTRY_ENVIRONMENTstringThe environment to report (e.g. development, staging, production). Required if Sentry is enabled.
GDS_SENTRY_RELEASEstring{{version}}Specify the release version for Sentry tracking. By default this will be the package version.
GDS_SENTRY_TRACK_PERFORMANCEboolfalseEnable performance tracing to Sentry with the specified sample rate.
GDS_SENTRY_SAMPLE_RATEfloat640.85The percentage of transactions to trace (0.0 to 1.0).
GDS_SENTRY_REPORT_ERRORSboolfalseIf true sends gRPC errors to Sentry as exceptions (useful for development or staging)
GDS_SENTRY_DEBUGboolfalseSet Sentry to debug mode for testing.

Sentry is considered enabled if a DSN is configured. Performance tracing is only enabled if Sentry is enabled and track performance is set to true. If Sentry is enabled, an environment is required, otherwise the configuration will be invalid.

Note that the sentry.Config object has a field Repanic that should not be set by the user. This field is used to manage panics in chained interceptors.