Automating transaction signing without compromising the private keys

So I’m putting together a plan as to how an NFT website that I would like to create would function. I’m stuck at point 5. It goes like this:

1 - Website listing all tokens. The user chooses the token

2 - The page says: Send ADA to this address, once done please submit the address that you sent the ADA from

3 - Page says request submitted. Once the transaction’s block has x confirmations, the token will be sent to your address

4 - Website backend, through API calls to the blockchain using (or cardano-db-sync), searches for the transaction to validate it.

5 - If it is validated, sign the transaction to send the token and submit it to the network.

The problem with point 5 is the moment I expose the private keys (which are absolutely necessary to make the transaction) to the internet (where the website is hosted), I’m exposing myself to hackers.

Is there a recommendation that you guys can give to better do this?

1 Like