Skip to content


A destination is a programmatically targetable URI for the secure submission of signed-and-encrypted messages.  Destinations are underpinned with their own unique digital certificate, which is used for the encryption of any messages targeting the destination.  This ensures that only the possessor of the destination's private key is able to decrypt the payload. This also allows the message recipient to verify the identity of the sender.

To create a destination:

  • Navigate to your environment with the deployed App to App Messaging service and select View Dashboard from the service dropdown.
  • Click the ADD DESTINATION button.

NOTE: The App to App Messaging service is reliant on the On-Chain Registry service. The certificate associated with each destination is stored in the On-Chain Registry membership profile. This makes it possible to query the destinations of all members in an environment while also providing access to all certificates in order to encrypt messages and verify signatures.

The console will guide you through the deployment of the On-Chain Registry Service and confirmation of an identity.  Note that the simplest approach is to allow Kaleido to register your org on chain with a self-signed identity certificate. This will allow all certificates and private key materials to be managed and secured within the Kaleido platform.  If you choose to upload an externally-signed identity certificate, you will be responsible for using the Kaleido SDK to upload the destination certificate (even if it is generated by Kaleido) in order to prove ownership of the On-Chain Registry x509 organizational cert.

Kaleido Managed Destinations

This is the easiest approach.  It uses a Kaleido-generated self-signed x509 certificates which are automatically stored in the On-Chain Registry. All messages can be encrypted, signed, decrypted and verified on the Kaleido backbone if you elect for this route.

If you don't have the On-Chain Registry deployed and/or don't have a confirmed identity, you will see a notification similar to the following:

Registry not deployed

  • Follow the link in the Kaleido console and allow Kaleido to register your membership in the On-Chain registry.  Clicking the link will deploy the On-Chain Registry Service (if not yet deployed) and generate a self-signed certificate for your membership.
  • Once the service is deployed and the identity proof is established you will see a notification similar to the following:

Fully Managed Destination

  • Click NEXT to finish setting up your destination.
  • Provide a name for the destination and click FINISH.  Under the covers this will generate you a destination certificate and upload it to the Profiles smart contract in the On-Chain Registry.  It will also redirect you to the App to App Messaging service dashboard.
  • The App to App Messaging service dashboard exposes your destination URI, its associated membership, its status and your destination's programmatically consumable API endpoint.  Apps only need to connect to the API endpoint.  The dashboard will also expose any other destinations within the environment, thereby serving as a convenient address book.

Destination list

  • The WebSocket API endpoint is used to establish a Socket IO connection from your apps for the subscription/consumption of messages from other destinations and for the publishing of messages to other destinations.  Every piece of information you need is exposed in this service dashboard.

To see programmatic examples of Socket IO connections for pub sub via the messaging service, refer to the samples article.

To see the approach(es) for self-managed cryptography, refer to the Self Managed Cryptography article.  Self-managed refers to any approach involving user generated/controlled key material.  If electing for this approach, the user is responsible for uploading an externally-generated destination certificate to the On-Chain Registry and handling signing, verifying and decryption on the client side.